Hi ! I think one of my machine got hacked, but I can figure out from where... I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122. So, does anyone hav a centos 3.9 install arround that can send me the info about (filesize, md5, modification date) these file : /bin : ls netstat ps /usr/bin/ dir find md5sum pstree slocate tee top What tiped me off, I was sudoing to another user, and swas this message : "Unknown HZ value! (92) Assume 100." Thanks
Nicolas Ross wrote:> Hi ! > > I think one of my machine got hacked, but I can figure out from where... > > I found some suspicious file in /bin and /usr/bin directories that are > owned > by user id 122, where this machine doesn't a userid 122. > > So, does anyone hav a centos 3.9 install arround that can send me the infoOne of our investigators has collaborators around the world, on old machines, so we have this: 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux Note they may be different on your machine.> about (filesize, md5, modification date) these file : > > /bin : > ls > netstat > ps-rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps> > /usr/bin/ > dir > find > md5sum > pstree > slocate > tee > top-rwxr-xr-x 1 root root 67700 Jun 12 2007 /usr/bin/dir -rwxr-xr-x 1 root root 51028 Jan 11 2006 /usr/bin/find -rwxr-xr-x 1 root root 29184 Jun 12 2007 /usr/bin/md5sum -rwxr-xr-x 1 root root 14048 Apr 28 2006 /usr/bin/pstree 0df0aafb355df40b1137355dd354f172 /usr/bin/dir 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate 4ed536310a845f274f6a1611773789d8 /usr/bin/tee 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top <snip> Hope this helps. mark
On 02/07/11 10:06 AM, Nicolas Ross wrote:> So, does anyone hav a centos 3.9 install arround that can send me the info > about (filesize, md5, modification date) these file : >is that a 3.9 install that never got any updates afterwards? is that x86_64 or i686? etc etc. that data is pretty worthless out of context.
On 02/07/11 10:06 AM, Nicolas Ross wrote:> I found some suspicious file in /bin and /usr/bin directories that are owned > by user id 122, where this machine doesn't a userid 122. >oh. get and run rkhunter. preferably do it on read only media via another system.
On Mon, Feb 07, 2011 at 01:06:56PM -0500, Nicolas Ross wrote:> Hi ! > > I think one of my machine got hacked, but I can figure out from where... > > I found some suspicious file in /bin and /usr/bin directories that are owned > by user id 122, where this machine doesn't a userid 122. > > So, does anyone hav a centos 3.9 install arround that can send me the info > about (filesize, md5, modification date) these file :3.9 is still available on all the mirrors, you can rpm2cpio and compare (watch out for prelinked files) or try the rpm --verify flag (if the rpm database is not modified). Tru -- Tru Huynh (mirrors, CentOS i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20110207/45e94860/attachment-0001.sig>
Maybe Matching Threads
- only one mysql process in pstree
- smbcontrol smbd ping also answered by nmbd and winbindd
- increase number of libvirt threads by starting tansient guest doamin - is it a bug?
- How to reduce a bandwidth?
- R CMD check --as-cran attempts to hide R_LIBS_USER but fails