Re: what does owner "32" mean?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jose Barroca wrote:

Hello all,

many thanks for the hints. Upon your suggestion I went through the logs,
and did find some peculiar things. I'm not completely certain the
machine has been compromised, though:
perhaps you should restate;

Im not completely certain I havent been hacked.
Usually those black-hats are pretty careful, but I guess this time I got lucky,
and they left some fingerprints, like an owner 32 file, and a broken version
of top, which would hide their programs, if it worked.

If you have backup facilities, you should use them, wipe the disk and reinstall. then restor your data. Think of it as a chance to refresh your box-setup-skills.

You can do the forensics later, on the backup copy.

- I have two machines connected to the internet through a cable modem router
- one of the machines had a sshd running, which I used to access it from
the outside.
- over the ccourse of one week, this machine suffered a series of
password/user attacks (it looks like someone tried to use some program
to gain access)
- the auth.log recorded the following lines on a day the second machine
(which had the files with owner 32) stayed on ininterruptly, without my
supervision (a very poor one, anyway):

Jul  8 06:25:04 abafado su[24024]: + ??? root:nobody
Jul  8 06:25:04 abafado su[24024]: (pam_unix) session opened for user
nobody by (uid=0)
Jul  8 06:25:04 abafado su[24024]: (pam_unix) session closed for user nobody
Jul  8 06:25:04 abafado su[24026]: + ??? root:nobody
Jul  8 06:25:04 abafado su[24026]: (pam_unix) session opened for user
nobody by (uid=0)
Jul  8 06:25:04 abafado su[24026]: (pam_unix) session closed for user nobody
Jul  8 06:25:04 abafado su[24028]: + ??? root:nobody
Jul  8 06:25:04 abafado su[24028]: (pam_unix) session opened for user
nobody by (uid=0)
Jul  8 06:27:18 abafado su[24028]: (pam_unix) session closed for user nobody

I'm still learning the ropes, and sys-forensics is not that easy.. Also,
a post on my corrupted, ownerid=32 TOP command, with some info about my
disk health status, suggested my disk was on the verge of colapsing,
with that being a possible explanation for the corruption.

Now, the question is finding out which, or whether both disk
corruption/machine compromised situations happened.


Regards,

Jose


--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/




--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/


[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux