Hi Tein.

I am afraid that the symptoms your report can only be explained by some
hacker getting into your system and compromising it.

m6 looks like a well spread hacker tool, popular in eastern Asia (just
try a google search with string "m6.3-BETA2"), and eth0 set to
promiscous mode is usually a sign that the hacker was running a sniffer
on your machine, too.

My recommendation would be to wipe out all the nodes in the testbed and
reinstall them from scratch. Of course, in the new configuration you
should change the root password of the nodes (including the LCFGng
server).

I know this sounds a bit extreme, but in these occasions it is very hard
to really find out what the hacker may have replaced.

Also, as the hacker may have run a sniffer, you may want to recommend to
users working in the same network to check their own systems and in any
case change their passwords.

You may probably find some help from computing security experts at your
site.

Let us know how you proceed. Cheers

                 Emanuele

> Tein Horng Yuan wrote:
>
> Hi Folks,
>
> Our LCFGng server system is something wrong since 2003-07-24 15:00
> GMT+8 but it is only like a system error.  This morning I  found
> several services are missing again and cannot reboot the system to
> runlevel 3.  Lately, I tried to get into single user mode to see what
> the problem is.
>
> Since everything is so wierd, I just use our static_link_toolbox to
> look at the system.  I found a directory '.. ' under /usr/bin.  I
> think our  system is compromised by unknown.  Unfortunately, our
> LCFG-1 testbed engineers are out of town for their summer vocation
> recently.  Since I don't anything about LCG-1 testbed installation, I
> can hardly dig out the system w/o their help.  I list some infomation
> below for your reference.  Any comment or advice is appreciate.
>
>   1. There is a directory called '.. ' under /usr/bin.
>   2. In '/etc/hosts.allow', 137.138.28.116 is allowed to use sshd .
>      What is the role of 137.138.28.116 (pb-s-31-s-15-2-1.cern.ch) in
>      LCG-1 testbed?
>   3. From 2003-07-25 07:14:21 ~  2003-07-25 10:08:43 , int
>      '/etc/message' , "eth0: Promiscuous mode enabled." --- 46 times
>   4. all the /etc/secure.* size are zero
>   5. On 2003-07-24, around 15:00 GMT+8, our httpd on LCFGng was dead
>      w/o any reason.  There was no way to restart the http service.
>      Lately, I found /etc/httpd/conf/httpd.conf was missing.
>   6. On 2003-07-25, around 09:00 GMT+8, dhcpd, httpd & portmap are
>      dead.  This time, httpd.conf is there.
>
> Our time zone is GMT+8.  Enclosed please find a file listing under
> '/usr/bin/.. ' .
>
> I am looking forward to receiving your reply.
>
> -- Tein
>
>     ---------------------------------------------------------------
> drwxr-xr-x    5 root     root         4096 Jul 25 16:43 .
> -rw-r--r--    1 root     root        14796 Jul 25 07:14 ./.x.tgz
> -rw-r--r--    1 root     root       219130 Jul 25 09:13 ./3rwu2.tgz
> -rwxr-xr-x    1 root     root       382072 Jul 25 09:22 ./7350wurm
> drwxr-xr-x    2 30       root         4096 Jul 25 16:43 ./a
> -rw-r--r--    1 root     root       165081 Jul 25 07:41 ./a.tgz
> -rwxr-xr-x    1 root     root        40961 Jul 25 07:50 ./a/a
> -rwxr-xr-x    1 root     root           55 Jul 25 07:50 ./a/check
> -rwxr-xr-x    1 root     root        10104 Jul 25 07:50 ./a/host2ip
> -rw-r--r--    1 root     root            0 Jul 25 07:50 ./a/ip
> -rw-r--r--    1 root     root         7791 Jul 25 07:50 ./a/ip2
> -rwxr-xr-x    1 root     root         7872 Jul 25 07:50 ./a/numip
> -rwxr-xr-x    1 root     root       123744 Jul 25 07:50 ./a/op
> -rw-r--r--    1 root     root         2322 Jul 25 07:50 ./a/ports.c
> -rwxr-xr-x    1 root     root        13292 Jul 25 07:50 ./a/prob
> -rwxr-xr-x    1 root     root          323 Jul 25 07:50 ./a/probe
> -rwxr-xr-x    1 root     root           55 Jul 25 07:50 ./a/probe.2
> -rwxr-xr-x    1 root     root          184 Jul 25 07:50 ./a/probe.3
> -rwxr-xr-x    1 root     root          346 Jul 25 07:50 ./a/probe.old
> -rwxr-xr-x    1 root     root        21750 Jul 25 07:45 ./a/scan
> -rw-r--r--    1 root     root         4766 Jul 25 07:50 ./a/scan.c
> -rwxr-xr-x    1 root     root        21426 Jul 25 07:50 ./a/scanA
> -rwxr-xr-x    1 root     root       132008 Jul 25 07:50 ./a/ssl3
> -rwxr-xr-x    1 root     root        34752 Jul 25 07:50 ./a/synscan
> -rwxr-xr-x    1 root     root           23 Jul 25 07:50 ./a/test
> -rwxr-xr-x    1 root     root          396 Jul 25 07:50 ./a/test3
> -rwxr-xr-x    1 root     root        32391 Jul 25 07:50 ./a/upscan
> -rwxr-xr-x    1 root     root        18368 Jul 25 07:50 ./a/verify2
> -rwxr-xr-x    1 root     root          737 Jul 25 07:50 ./a/x
> -rwxr-xr-x    1 root     root        13812 Jul 25 07:14 ./awu
> -rwxr-xr-x    1 root     root         1345 Jul 25 07:14 ./cl
> -rwxr-xr-x    1 root     root       647330 Jul 25 07:14 ./initd
> -rw-r--r--    1 root     root            0 Jul 25 07:14 ./last
> drwxr-xr-x    3 root     root         4096 Jul 25 16:43 ./m6.3-BETA2
> -rw-r--r--    1 root     root       850805 Jul 25 09:26
> ./m6.3-BETA2-linux-bin-x86.tar.gz
> -rw-r--r--    1 root     root         2784 Jul 25 09:26
> ./m6.3-BETA2/README
> -rwxr-xr-x    1 root     root        86830 Jul 25 09:26
> ./m6.3-BETA2/r00t
> drwxr-xr-x    5 root     root         4096 Jul 25 16:43
> ./m6.3-BETA2/xp
> -rwxr-xr-x    1 root     root       382072 Jul 25 09:26
> ./m6.3-BETA2/xp/7350wurm
> -rwxr--r--    1 root     root        12716 Jul 25 09:26
> ./m6.3-BETA2/xp/amdx
> -rwxr-xr-x    1 root     root        24971 Jul 25 09:26
> ./m6.3-BETA2/xp/cmsd
> -rwxr-xr-x    1 root     root        15453 Jul 25 09:26
> ./m6.3-BETA2/xp/fbsd-amd
> drwxr-xr-x    2 root     root         4096 Jul 25 16:43
> ./m6.3-BETA2/xp/fprint
> -rw-------    1 root     root          549 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/Changelog
> -rw-------    1 root     root          139 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/Makefile
> -rw-------    1 root     root          936 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/README
> -rw-------    1 root     root         1071 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/base_net.cpp
> -rw-------    1 root     root         2822 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/fingerdb.cpp
> -rw-------    1 root     root        11493 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/fps
> -rwxr-xr-x    1 root     root        77151 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/telnetfp
> -rw-------    1 root     root         4405 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/telnetfp.cpp
> -rw-------    1 root     root          422 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/telnetfp.hpp
> -rw-------    1 root     root        11493 Jul 25 09:26
> ./m6.3-BETA2/xp/fps
> -rwxr-xr-x    1 root     root        16747 Jul 25 09:26
> ./m6.3-BETA2/xp/freebsd-amd
> drwxr-sr-x    2 root     root         4096 Jul 25 16:43
> ./m6.3-BETA2/xp/os
> -rwxr-xr-x    1 root     root       127912 Jul 25 09:26
> ./m6.3-BETA2/xp/os/openssl-scanner
> -rwxr-xr-x    1 root     root       121231 Jul 25 09:34
> ./m6.3-BETA2/xp/os/os
> -rwxr-xr-x    1 root     root        31736 Jul 25 09:26
> ./m6.3-BETA2/xp/pcnfsd_remote
> drwxr-xr-x    2 root     root         4096 Jul 25 16:43
> ./m6.3-BETA2/xp/ssh
> -rw-r--r--    1 root     root          371 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/command
> -rwxr-xr-x    1 root     root        23786 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/ssh
> -rw-------    1 root     root          314 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/ssh.c
> -rwxr-xr-x    1 root     root         2581 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/sshxp
> -rw-r--r--    1 root     root         1346 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/targets
> -rwxr-xr-x    1 root     root           12 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/x2
> -rwxr-xr-x    1 root     root       817052 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/x2x
> -rwxr-xr-x    1 root     root       777025 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/x3
> -rwxr-xr-x    1 root     root        37610 Jul 25 09:26
> ./m6.3-BETA2/xp/telnet
> -rwxr-xr-x    1 root     root          149 Jul 25 09:26
> ./m6.3-BETA2/xp/telnetfp
> -rwxr-xr-x    1 root     root        18461 Jul 25 09:26
> ./m6.3-BETA2/xp/ttdb
> -rwxr-xr-x    1 root     root         4060 Jul 25 09:08 ./read
> -rw-r--r--    1 root     root        18762 Jul 25 07:37 ./samba.tgz
> drwxr-xr-x    2 root     root         4096 Jul 25 16:43 ./samba2
> -rwxr-xr-x    1 root     root        22247 Jul 25 09:28
> ./samba2/ptrace
> -rwxr-xr-x    1 root     root        37662 Jul 25 09:28 ./samba2/samba
> -rwxr-xr-x    1 root     root        23561 Jul 25 09:23 ./samba2/sc
> -rwxr-xr-x    1 root     root         6532 Jul 25 07:14 ./sc
> -rwxr-xr-x    1 root     root          982 Jul 25 07:14 ./scan
> -rwxr-xr-x    1 root     root        16776 Jul 25 08:51 ./sl2
> -rwxr-xr-x    1 root     root        48016 Jul 25 09:13 ./startwu
> -rwxr-xr-x    1 root     root        11472 Jul 25 07:14 ./statdx
> -rw-r--r--    1 root     root            0 Jul 25 09:08 ./tcp.log
> -rwxr-xr-x    1 root     root         4684 Jul 25 07:14 ./v
> -rwxr-xr-x    1 root     root         6324 Jul 25 07:14 ./write
> -rwxr-xr-x    1 root     root         1187 Jul 25 07:14 ./wroot
> -rwxr-xr-x    1 root     root         6340 Jul 25 07:14 ./wscan
> -rwxr-xr-x    1 root     root         6324 Jul 25 07:14 ./wted
> -rwxr-xr-x    1 root     root        31216 Jul 25 07:14 ./wu

--
/------------------- Emanuele Leonardi -------------------\
| eMail: [log in to unmask] - Tel.: +41-22-7674066 |
|  IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23  |
\---------------------------------------------------------/