Hi Tein.
I am afraid that the symptoms your report can only be explained by some
hacker getting into your system and compromising it.
m6 looks like a well spread hacker tool, popular in eastern Asia (just
try a google search with string "m6.3-BETA2"), and eth0 set to
promiscous mode is usually a sign that the hacker was running a sniffer
on your machine, too.
My recommendation would be to wipe out all the nodes in the testbed and
reinstall them from scratch. Of course, in the new configuration you
should change the root password of the nodes (including the LCFGng
server).
I know this sounds a bit extreme, but in these occasions it is very hard
to really find out what the hacker may have replaced.
Also, as the hacker may have run a sniffer, you may want to recommend to
users working in the same network to check their own systems and in any
case change their passwords.
You may probably find some help from computing security experts at your
site.
Let us know how you proceed. Cheers
Emanuele
> Tein Horng Yuan wrote:
>
> Hi Folks,
>
> Our LCFGng server system is something wrong since 2003-07-24 15:00
> GMT+8 but it is only like a system error. This morning I found
> several services are missing again and cannot reboot the system to
> runlevel 3. Lately, I tried to get into single user mode to see what
> the problem is.
>
> Since everything is so wierd, I just use our static_link_toolbox to
> look at the system. I found a directory '.. ' under /usr/bin. I
> think our system is compromised by unknown. Unfortunately, our
> LCFG-1 testbed engineers are out of town for their summer vocation
> recently. Since I don't anything about LCG-1 testbed installation, I
> can hardly dig out the system w/o their help. I list some infomation
> below for your reference. Any comment or advice is appreciate.
>
> 1. There is a directory called '.. ' under /usr/bin.
> 2. In '/etc/hosts.allow', 137.138.28.116 is allowed to use sshd .
> What is the role of 137.138.28.116 (pb-s-31-s-15-2-1.cern.ch) in
> LCG-1 testbed?
> 3. From 2003-07-25 07:14:21 ~ 2003-07-25 10:08:43 , int
> '/etc/message' , "eth0: Promiscuous mode enabled." --- 46 times
> 4. all the /etc/secure.* size are zero
> 5. On 2003-07-24, around 15:00 GMT+8, our httpd on LCFGng was dead
> w/o any reason. There was no way to restart the http service.
> Lately, I found /etc/httpd/conf/httpd.conf was missing.
> 6. On 2003-07-25, around 09:00 GMT+8, dhcpd, httpd & portmap are
> dead. This time, httpd.conf is there.
>
> Our time zone is GMT+8. Enclosed please find a file listing under
> '/usr/bin/.. ' .
>
> I am looking forward to receiving your reply.
>
> -- Tein
>
> ---------------------------------------------------------------
> drwxr-xr-x 5 root root 4096 Jul 25 16:43 .
> -rw-r--r-- 1 root root 14796 Jul 25 07:14 ./.x.tgz
> -rw-r--r-- 1 root root 219130 Jul 25 09:13 ./3rwu2.tgz
> -rwxr-xr-x 1 root root 382072 Jul 25 09:22 ./7350wurm
> drwxr-xr-x 2 30 root 4096 Jul 25 16:43 ./a
> -rw-r--r-- 1 root root 165081 Jul 25 07:41 ./a.tgz
> -rwxr-xr-x 1 root root 40961 Jul 25 07:50 ./a/a
> -rwxr-xr-x 1 root root 55 Jul 25 07:50 ./a/check
> -rwxr-xr-x 1 root root 10104 Jul 25 07:50 ./a/host2ip
> -rw-r--r-- 1 root root 0 Jul 25 07:50 ./a/ip
> -rw-r--r-- 1 root root 7791 Jul 25 07:50 ./a/ip2
> -rwxr-xr-x 1 root root 7872 Jul 25 07:50 ./a/numip
> -rwxr-xr-x 1 root root 123744 Jul 25 07:50 ./a/op
> -rw-r--r-- 1 root root 2322 Jul 25 07:50 ./a/ports.c
> -rwxr-xr-x 1 root root 13292 Jul 25 07:50 ./a/prob
> -rwxr-xr-x 1 root root 323 Jul 25 07:50 ./a/probe
> -rwxr-xr-x 1 root root 55 Jul 25 07:50 ./a/probe.2
> -rwxr-xr-x 1 root root 184 Jul 25 07:50 ./a/probe.3
> -rwxr-xr-x 1 root root 346 Jul 25 07:50 ./a/probe.old
> -rwxr-xr-x 1 root root 21750 Jul 25 07:45 ./a/scan
> -rw-r--r-- 1 root root 4766 Jul 25 07:50 ./a/scan.c
> -rwxr-xr-x 1 root root 21426 Jul 25 07:50 ./a/scanA
> -rwxr-xr-x 1 root root 132008 Jul 25 07:50 ./a/ssl3
> -rwxr-xr-x 1 root root 34752 Jul 25 07:50 ./a/synscan
> -rwxr-xr-x 1 root root 23 Jul 25 07:50 ./a/test
> -rwxr-xr-x 1 root root 396 Jul 25 07:50 ./a/test3
> -rwxr-xr-x 1 root root 32391 Jul 25 07:50 ./a/upscan
> -rwxr-xr-x 1 root root 18368 Jul 25 07:50 ./a/verify2
> -rwxr-xr-x 1 root root 737 Jul 25 07:50 ./a/x
> -rwxr-xr-x 1 root root 13812 Jul 25 07:14 ./awu
> -rwxr-xr-x 1 root root 1345 Jul 25 07:14 ./cl
> -rwxr-xr-x 1 root root 647330 Jul 25 07:14 ./initd
> -rw-r--r-- 1 root root 0 Jul 25 07:14 ./last
> drwxr-xr-x 3 root root 4096 Jul 25 16:43 ./m6.3-BETA2
> -rw-r--r-- 1 root root 850805 Jul 25 09:26
> ./m6.3-BETA2-linux-bin-x86.tar.gz
> -rw-r--r-- 1 root root 2784 Jul 25 09:26
> ./m6.3-BETA2/README
> -rwxr-xr-x 1 root root 86830 Jul 25 09:26
> ./m6.3-BETA2/r00t
> drwxr-xr-x 5 root root 4096 Jul 25 16:43
> ./m6.3-BETA2/xp
> -rwxr-xr-x 1 root root 382072 Jul 25 09:26
> ./m6.3-BETA2/xp/7350wurm
> -rwxr--r-- 1 root root 12716 Jul 25 09:26
> ./m6.3-BETA2/xp/amdx
> -rwxr-xr-x 1 root root 24971 Jul 25 09:26
> ./m6.3-BETA2/xp/cmsd
> -rwxr-xr-x 1 root root 15453 Jul 25 09:26
> ./m6.3-BETA2/xp/fbsd-amd
> drwxr-xr-x 2 root root 4096 Jul 25 16:43
> ./m6.3-BETA2/xp/fprint
> -rw------- 1 root root 549 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/Changelog
> -rw------- 1 root root 139 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/Makefile
> -rw------- 1 root root 936 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/README
> -rw------- 1 root root 1071 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/base_net.cpp
> -rw------- 1 root root 2822 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/fingerdb.cpp
> -rw------- 1 root root 11493 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/fps
> -rwxr-xr-x 1 root root 77151 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/telnetfp
> -rw------- 1 root root 4405 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/telnetfp.cpp
> -rw------- 1 root root 422 Jul 25 09:26
> ./m6.3-BETA2/xp/fprint/telnetfp.hpp
> -rw------- 1 root root 11493 Jul 25 09:26
> ./m6.3-BETA2/xp/fps
> -rwxr-xr-x 1 root root 16747 Jul 25 09:26
> ./m6.3-BETA2/xp/freebsd-amd
> drwxr-sr-x 2 root root 4096 Jul 25 16:43
> ./m6.3-BETA2/xp/os
> -rwxr-xr-x 1 root root 127912 Jul 25 09:26
> ./m6.3-BETA2/xp/os/openssl-scanner
> -rwxr-xr-x 1 root root 121231 Jul 25 09:34
> ./m6.3-BETA2/xp/os/os
> -rwxr-xr-x 1 root root 31736 Jul 25 09:26
> ./m6.3-BETA2/xp/pcnfsd_remote
> drwxr-xr-x 2 root root 4096 Jul 25 16:43
> ./m6.3-BETA2/xp/ssh
> -rw-r--r-- 1 root root 371 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/command
> -rwxr-xr-x 1 root root 23786 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/ssh
> -rw------- 1 root root 314 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/ssh.c
> -rwxr-xr-x 1 root root 2581 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/sshxp
> -rw-r--r-- 1 root root 1346 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/targets
> -rwxr-xr-x 1 root root 12 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/x2
> -rwxr-xr-x 1 root root 817052 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/x2x
> -rwxr-xr-x 1 root root 777025 Jul 25 09:26
> ./m6.3-BETA2/xp/ssh/x3
> -rwxr-xr-x 1 root root 37610 Jul 25 09:26
> ./m6.3-BETA2/xp/telnet
> -rwxr-xr-x 1 root root 149 Jul 25 09:26
> ./m6.3-BETA2/xp/telnetfp
> -rwxr-xr-x 1 root root 18461 Jul 25 09:26
> ./m6.3-BETA2/xp/ttdb
> -rwxr-xr-x 1 root root 4060 Jul 25 09:08 ./read
> -rw-r--r-- 1 root root 18762 Jul 25 07:37 ./samba.tgz
> drwxr-xr-x 2 root root 4096 Jul 25 16:43 ./samba2
> -rwxr-xr-x 1 root root 22247 Jul 25 09:28
> ./samba2/ptrace
> -rwxr-xr-x 1 root root 37662 Jul 25 09:28 ./samba2/samba
> -rwxr-xr-x 1 root root 23561 Jul 25 09:23 ./samba2/sc
> -rwxr-xr-x 1 root root 6532 Jul 25 07:14 ./sc
> -rwxr-xr-x 1 root root 982 Jul 25 07:14 ./scan
> -rwxr-xr-x 1 root root 16776 Jul 25 08:51 ./sl2
> -rwxr-xr-x 1 root root 48016 Jul 25 09:13 ./startwu
> -rwxr-xr-x 1 root root 11472 Jul 25 07:14 ./statdx
> -rw-r--r-- 1 root root 0 Jul 25 09:08 ./tcp.log
> -rwxr-xr-x 1 root root 4684 Jul 25 07:14 ./v
> -rwxr-xr-x 1 root root 6324 Jul 25 07:14 ./write
> -rwxr-xr-x 1 root root 1187 Jul 25 07:14 ./wroot
> -rwxr-xr-x 1 root root 6340 Jul 25 07:14 ./wscan
> -rwxr-xr-x 1 root root 6324 Jul 25 07:14 ./wted
> -rwxr-xr-x 1 root root 31216 Jul 25 07:14 ./wu
--
/------------------- Emanuele Leonardi -------------------\
| eMail: [log in to unmask] - Tel.: +41-22-7674066 |
| IT division - Bat.31 2-012 - CERN - CH-1211 Geneva 23 |
\---------------------------------------------------------/
|