Is there a Centos 3 around ?
 

Hi !

I think one of my machine got hacked, but I can figure out from where...

I found some suspicious file in /bin and /usr/bin directories that are owned
by user id 122, where this machine doesn't a userid 122.

So, does anyone hav a centos 3.9 install arround that can send me the info
about (filesize, md5, modification date) these file :

/bin :
ls
netstat
ps

/usr/bin/
dir
find
md5sum
pstree
slocate
tee
top

What tiped me off, I was sudoing to another user, and swas this message :
"Unknown HZ value! (92) Assume 100."

Thanks

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Is there a Centos 3 around ?
 

Nicolas Ross wrote:
> Hi !
>
> I think one of my machine got hacked, but I can figure out from where...
>
> I found some suspicious file in /bin and /usr/bin directories that are
> owned
> by user id 122, where this machine doesn't a userid 122.
>
> So, does anyone hav a centos 3.9 install arround that can send me the info

One of our investigators has collaborators around the world, on old
machines, so we have this:
2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux
Note they may be different on your machine.
> about (filesize, md5, modification date) these file :
>
> /bin :
> ls
> netstat
> ps

-rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls
-rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat
-r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps

e102f6c3dde4043908ed001e1587b1d2 /bin/ls
bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat
fc3369b3564e00f877387a13bf3f467a /bin/ps

>
> /usr/bin/
> dir
> find
> md5sum
> pstree
> slocate
> tee
> top

-rwxr-xr-x 1 root root 67700 Jun 12 2007 /usr/bin/dir
-rwxr-xr-x 1 root root 51028 Jan 11 2006 /usr/bin/find
-rwxr-xr-x 1 root root 29184 Jun 12 2007 /usr/bin/md5sum
-rwxr-xr-x 1 root root 14048 Apr 28 2006 /usr/bin/pstree

0df0aafb355df40b1137355dd354f172 /usr/bin/dir
2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find
03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum
224f527255b2c8deb44f692eaadc873d /usr/bin/pstree
0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate
4ed536310a845f274f6a1611773789d8 /usr/bin/tee
6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top

<snip>

Hope this helps.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Is there a Centos 3 around ?
 

On Feb 7, 2011, at 10:14 AM, m.roth@5-cent.us wrote:

> Nicolas Ross wrote:
>> Hi !
>>
>> I think one of my machine got hacked, but I can figure out from where...
>>
>> I found some suspicious file in /bin and /usr/bin directories that are
>> owned
>> by user id 122, where this machine doesn't a userid 122.
>>
>> So, does anyone hav a centos 3.9 install arround that can send me the info
>
> One of our investigators has collaborators around the world, on old
> machines, so we have this:
> 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux
> Note they may be different on your machine.
>> about (filesize, md5, modification date) these file :
>>
>> /bin :
>> ls
>> netstat
>> ps
>
> -rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls
> -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat
> -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps
>
> e102f6c3dde4043908ed001e1587b1d2 /bin/ls
> bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat
> fc3369b3564e00f877387a13bf3f467a /bin/ps
>
>>
>> /usr/bin/
>> dir
>> find
>> md5sum
>> pstree
>> slocate
>> tee
>> top
>
> -rwxr-xr-x 1 root root 67700 Jun 12 2007 /usr/bin/dir
> -rwxr-xr-x 1 root root 51028 Jan 11 2006 /usr/bin/find
> -rwxr-xr-x 1 root root 29184 Jun 12 2007 /usr/bin/md5sum
> -rwxr-xr-x 1 root root 14048 Apr 28 2006 /usr/bin/pstree
>
> 0df0aafb355df40b1137355dd354f172 /usr/bin/dir
> 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find
> 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum
> 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree
> 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate
> 4ed536310a845f274f6a1611773789d8 /usr/bin/tee
> 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top
>
> <snip>
>
> Hope this helps.
>
> mark


Our internal, not internet connected fully patch Cent 3 box exactly matches what Mark posted.

[dkrause@rigil bin]$ ls -lat ls netstat ps
-rwxr-xr-x 1 root root 67700 Jun 12 2007 ls
-rwxr-xr-x 1 root root 83800 May 22 2007 netstat
-r-xr-xr-x 1 root root 64076 Apr 19 2006 ps

e102f6c3dde4043908ed001e1587b1d2 /bin/ls
bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat
fc3369b3564e00f877387a13bf3f467a /bin/ps

[dkrause@rigil bin]$ ls -la dir find md5sum pstree slocate tee top
-rwxr-xr-x 1 root root 67700 Jun 12 2007 dir
-rwxr-xr-x 1 root root 51028 Jan 11 2006 find
-rwxr-xr-x 1 root root 29184 Jun 12 2007 md5sum
-rwxr-xr-x 1 root root 14048 Apr 28 2006 pstree
-rwxr-sr-x 1 root slocate 32480 Sep 28 2005 slocate
-rwxr-xr-x 1 root root 12220 Jun 12 2007 tee
-r-xr-xr-x 1 root root 48052 Apr 19 2006 top

0df0aafb355df40b1137355dd354f172 dir
2c5f4e789da1ad8d19ce5c68ecf8261d find
03174f884e7fc5fbc215780819679f6e md5sum
224f527255b2c8deb44f692eaadc873d pstree
0cee754c3981ba5f527bedc9a8cbea2a slocate
4ed536310a845f274f6a1611773789d8 tee
6b42bf37296861c657fcf6b8dba8f675 top


Good luck!
--
Don Krause






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Is there a Centos 3 around ?
 

>> I think one of my machine got hacked, but I can figure out from where...
>>
>> I found some suspicious file in /bin and /usr/bin directories that are
>> owned
>> by user id 122, where this machine doesn't a userid 122.
>>
>> So, does anyone hav a centos 3.9 install arround that can send me the
>> info
>
> One of our investigators has collaborators around the world, on old
> machines, so we have this:
> 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386
> GNU/Linux
> Note they may be different on your machine.
>> about (filesize, md5, modification date) these file :
>>
>> /bin :
>> ls
>> netstat
>> ps
>
> -rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls
> -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat
> -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps
>
> e102f6c3dde4043908ed001e1587b1d2 /bin/ls
> bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat
> fc3369b3564e00f877387a13bf3f467a /bin/ps

Dammm...

mds5um has been tempered with also... It return those expected values, but a
md5sum programm I took elsewhere was returning another value...

Dammm...

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Is there a Centos 3 around ?
 

On 02/07/11 10:06 AM, Nicolas Ross wrote:
> So, does anyone hav a centos 3.9 install arround that can send me the info
> about (filesize, md5, modification date) these file :
>

is that a 3.9 install that never got any updates afterwards? is that
x86_64 or i686? etc etc.

that data is pretty worthless out of context.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Is there a Centos 3 around ?
 

On 02/07/11 10:06 AM, Nicolas Ross wrote:
> I found some suspicious file in /bin and /usr/bin directories that are owned
> by user id 122, where this machine doesn't a userid 122.
>

oh. get and run rkhunter. preferably do it on read only media via
another system.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Is there a Centos 3 around ?
 

John R Pierce wrote:
> On 02/07/11 10:06 AM, Nicolas Ross wrote:
>> So, does anyone hav a centos 3.9 install arround that can send me the
>> info about (filesize, md5, modification date) these file :
>
> is that a 3.9 install that never got any updates afterwards? is that
> x86_64 or i686? etc etc.
>
> that data is pretty worthless out of context.

Good question. The box I got my data from had all updates applied until it
went out of support late last fall.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos