Server gehackt?

Tobster · Nov 9, 2005

An fast jeder Datei bei mir auf dem Server hat sich das Datum auf gestern geändert. Hat mich jemand gehackt oder ein Rootkit installieret? Oder hat S4y etwas mit meiner VPS gemacht?
Es ist bis jetzt noch kein mehr Traffic entstanden. Für gestern sind es Werte unter ein MB.

djrick · Nov 9, 2005

Was sagen denn die Los?

Tobster · Nov 9, 2005

Ich weiß ohne Logs geht nichts. Aber als ich das gemerkt habe war es füfn min bevor ich auf die Arbeit musste.

Auth.log von gestern

Code:

Nov  8 20:45:28 vs247083 saslauthd[6562]: server_exit     : master exited: 6562
Nov  8 20:45:29 vs247083 sshd[7364]: Received signal 15; terminating.
Nov  8 20:53:41 vs247083 saslauthd[30244]: detach_tty      : master pid is: 30244
Nov  8 20:53:41 vs247083 saslauthd[30244]: ipc_init        : listening on socket: /var/run/saslauthd/mux
Nov  8 20:53:41 vs247083 sshd[30848]: Server listening on 0.0.0.0 port xxxx.

Ich habe nur den Port von SSH versteckt sonst steht da alles wie es war. Die Ip war 0.0.0.0
Auth.log von vorgestern ist als einziges außer Cron das ich mich um acht angemeldet habe um ClamAV zu updaten.

Code:

Nov  8 20:45:27 vs247083 authdaemond.plain: restarting authdaemond children
Nov  8 20:45:27 vs247083 authdaemond.plain: modules="authpam", daemons=5
Nov  8 20:53:36 vs247083 spamd[20261]: spamd starting
Nov  8 20:53:38 vs247083 spamd[21313]: server started on port 783/tcp (running version 3.0.3)
Nov  8 20:53:38 vs247083 spamd[21313]: server successfully spawned child process, pid 22976
Nov  8 20:53:38 vs247083 authdaemond.plain: modules="authpam", daemons=5

Spamd läuft obwohl er aus geschaltet ist.

Code:

Nov  8 20:44:40 vs247083 shutdown[15203]: shutting down for system halt

User.log

Code:

reboot   system boot  2.4.20-021stab02 Tue Nov  8 20:53          (11:42)

Zu guter letzt das was mir den Schreck eingejagt hat. Die Aide.log
Die Datei ist 8 MB groß ich wollte Sie zuerst hochladen aber ich denke die ist zu groß. Deswegen ein kurzer Ausschnitt.

Code:

changed:/usr/share/doc/phpdoc/html/function.oci-commit.html
changed:/usr/share/doc/phpdoc/html/function.oci-connect.html
changed:/usr/share/doc/phpdoc/html/function.oci-define-by-name.html
changed:/usr/share/doc/phpdoc/html/function.oci-error.html
changed:/usr/share/doc/phpdoc/html/function.oci-execute.html
changed:/usr/share/doc/phpdoc/html/function.oci-fetch-all.html
changed:/usr/share/doc/phpdoc/html/function.oci-fetch-array.html
changed:/usr/share/doc/phpdoc/html/function.oci-fetch-assoc.html
changed:/usr/share/doc/phpdoc/html/function.oci-fetch-object.html
changed:/usr/share/doc/phpdoc/html/function.oci-fetch-row.html
changed:/usr/share/doc/phpdoc/html/function.oci-fetch.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-is-null.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-name.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-precision.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-scale.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-size.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-type-raw.html
changed:/usr/share/doc/phpdoc/html/function.oci-field-type.html
changed:/usr/share/doc/phpdoc/html/function.oci-free-descriptor.html
changed:/usr/share/doc/phpdoc/html/function.oci-free-statement.html
changed:/usr/share/doc/phpdoc/html/function.oci-internal-debug.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-append.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-close.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-copy.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-eof.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-erase.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-export.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-flush.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-import.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-is-equal.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-load.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-read.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-rewind.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-save.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-seek.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-size.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-tell.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-truncate.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-write-temporary.html
changed:/usr/share/doc/phpdoc/html/function.oci-lob-write.html
changed:/usr/share/doc/phpdoc/html/function.oci-new-collection.html
changed:/usr/share/doc/phpdoc/html/function.oci-new-connect.html
changed:/usr/share/doc/phpdoc/html/function.oci-new-cursor.html
changed:/usr/share/doc/phpdoc/html/function.oci-new-descriptor.html
changed:/usr/share/doc/phpdoc/html/function.oci-num-fields.html
changed:/usr/share/doc/phpdoc/html/function.oci-num-rows.html
changed:/usr/share/doc/phpdoc/html/function.oci-parse.html
changed:/usr/share/doc/phpdoc/html/function.oci-password-change.html
changed:/usr/share/doc/phpdoc/html/function.oci-pconnect.html
changed:/usr/share/doc/phpdoc/html/function.oci-result.html
changed:/usr/share/doc/phpdoc/html/function.oci-rollback.html
changed:/usr/share/doc/phpdoc/html/function.oci-server-version.html
changed:/usr/share/doc/phpdoc/html/function.oci-set-prefetch.html
changed:/usr/share/doc/phpdoc/html/function.oci-statement-type.html
changed:/usr/share/doc/phpdoc/html/ref.uodbc.html
changed:/usr/share/doc/phpdoc/html/function.ocigetbufferinglob.html
changed:/usr/share/doc/phpdoc/html/function.ocisetbufferinglob.html
changed:/usr/share/doc/phpdoc/html/function.openal-buffer-data.html
changed:/usr/share/doc/phpdoc/html/function.openal-buffer-create.html
changed:/usr/share/doc/phpdoc/html/function.openal-buffer-destroy.html
changed:/usr/share/doc/phpdoc/html/function.openal-buffer-get.html
changed:/usr/share/doc/phpdoc/html/function.openal-buffer-loadwav.html
changed:/usr/share/doc/phpdoc/html/function.openal-context-create.html
changed:/usr/share/doc/phpdoc/html/function.openal-context-current.html
changed:/usr/share/doc/phpdoc/html/function.openal-context-destroy.html
changed:/usr/share/doc/phpdoc/html/function.openal-context-process.html
changed:/usr/share/doc/phpdoc/html/function.openal-context-suspend.html
changed:/usr/share/doc/phpdoc/html/function.openal-device-close.html
changed:/usr/share/doc/phpdoc/html/function.openal-device-open.html
changed:/usr/share/doc/phpdoc/html/function.openal-listener-get.html

Huschi · Nov 9, 2005

Tobster said:
An fast jeder Datei bei mir auf dem Server hat sich das Datum auf gestern geändert.

Etwas genauer bitte.
Welche Dateien haben sich geändert (Pfade) und welche nicht?
Dein Auszug aus dem Aide.log beschreibt lediglich Dateien aus dem phpdoc-Packet.
Ist denn irgendwas wichtiges geändert worden? (/sbin /usr/bin /usr/sbin etc.)

huschi.

Tobster · Nov 9, 2005

Ja alles! Einfach alles. Jede Datei in /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /etc, /usr/lib, /usr/share

Welche Datei hat sich nicht geändert pauschal bei sovielen die sich gändert haben schwer.

Tobster · Nov 9, 2005

Code:

changed:/bin
changed:/bin/bash
changed:/bin/rbash
changed:/bin/sh
changed:/bin/loadkeys
changed:/bin/fgconsole
changed:/bin/cat
changed:/bin/chgrp
changed:/bin/chmod
changed:/bin/chown
changed:/bin/cp
changed:/bin/date
changed:/bin/dd
changed:/bin/df
changed:/bin/dir
changed:/bin/echo
changed:/bin/false
changed:/bin/ln
changed:/bin/ls
changed:/bin/mkdir
changed:/bin/mknod
changed:/bin/mv
changed:/bin/pwd
changed:/bin/readlink
changed:/bin/rm
changed:/bin/rmdir
changed:/bin/vdir
changed:/bin/sleep
changed:/bin/stty
changed:/bin/sync
changed:/bin/touch
changed:/bin/true
changed:/bin/uname
changed:/bin/run-parts
changed:/bin/tempfile
changed:/bin/mktemp
changed:/bin/grep
changed:/bin/egrep
changed:/bin/fgrep
changed:/bin/gzip
changed:/bin/gzexe
changed:/bin/zdiff
changed:/bin/zgrep
changed:/bin/zforce
changed:/bin/zless
changed:/bin/zmore
changed:/bin/znew
changed:/bin/gunzip
changed:/bin/zcat
changed:/bin/zcmp
changed:/bin/zegrep
changed:/bin/zfgrep
changed:/bin/uncompress
changed:/bin/hostname
changed:/bin/dnsdomainname
changed:/bin/mountpoint
changed:/bin/ping
changed:/bin/ping6
changed:/bin/login
changed:/bin/su
changed:/bin/mount
changed:/bin/umount
changed:/bin/netstat
changed:/bin/kill
changed:/bin/ps
changed:/bin/sed
changed:/bin/pidof
changed:/bin/tar
changed:/bin/arch
changed:/bin/more
changed:/bin/dmesg
changed:/bin/kernelversion
changed:/bin/cpio
changed:/bin/mt-gnu
changed:/bin/ed
changed:/bin/ip
changed:/bin/setserial
changed:/bin/nano
changed:/bin/fuser
changed:/bin/mt
changed:/bin/confixxmysql.sh
changed:/boot

Code:

Directory: /sbin
  Size     : 4096                              , 2048                              
  Bcount   : 8                                 , 4                                 
  Ctime    : 2005-10-01 13:18:20               , 2005-11-08 20:52:57               
  Inode    : 34931427                          , 35479756                          

File: /sbin/kbdrate
  Ctime    : 2005-08-11 16:27:52               , 2005-11-08 20:52:57               
  Inode    : 34931456                          , 35479757                          

File: /sbin/installkernel
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931429                          , 35479758                          

File: /sbin/start-stop-daemon
  Ctime    : 2005-08-11 16:27:32               , 2005-11-08 20:52:57               
  Inode    : 34930878                          , 35479759                          

File: /sbin/mke2fs
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930937                          , 35479874                          

File: /sbin/mkfs.ext2
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930937                          , 35479874                          

File: /sbin/logsave
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931121                          , 35479875                          

File: /sbin/e2fsck
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930935                          , 35479876                          

File: /sbin/mkfs.ext3
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930937                          , 35479874                          

File: /sbin/resize2fs
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931124                          , 35479877                          

File: /sbin/findfs
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931119                          , 35479878                          

File: /sbin/dumpe2fs
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931120                          , 35479879                          

File: /sbin/fsck.ext2
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930935                          , 35479876                          

File: /sbin/fsck.ext3
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930935                          , 35479876                          

File: /sbin/e2label
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931119                          , 35479878                          

File: /sbin/badblocks
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930955                          , 35479880                          

File: /sbin/debugfs
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34930936                          , 35479881                          

File: /sbin/tune2fs
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931119                          , 35479878                          

File: /sbin/e2image
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931122                          , 35479882                          

File: /sbin/fsck
  Ctime    : 2005-08-11 16:27:36               , 2005-11-08 20:52:57               
  Inode    : 34931123                          , 35479883                          

File: /sbin/ifup
  Ctime    : 2005-08-11 16:29:40               , 2005-11-08 20:52:57               
  Inode    : 34931332                          , 35479884                          

File: /sbin/ifdown
  Ctime    : 2005-08-11 16:29:40               , 2005-11-08 20:52:57               
  Inode    : 34931332                          , 35479884                          

File: /sbin/fsck.nfs
  Ctime    : 2005-08-11 16:28:51               , 2005-11-08 20:52:57               
  Inode    : 34931264                          , 35480457                          

File: /sbin/blkid
  Ctime    : 2005-08-11 16:27:41               , 2005-11-08 20:52:57               
  Inode    : 34931125                          , 35480458                          

File: /sbin/ldconfig
  Ctime    : 2005-08-11 16:25:31               , 2005-11-08 20:52:57               
  Inode    : 34932179                          , 35480719                          

File: /sbin/unix_chkpwd
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931452                          , 35480720                          

File: /sbin/MAKEDEV
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931349                          , 35480721                          

File: /sbin/swapon
  Ctime    : 2005-10-01 13:18:16               , 2005-11-08 20:52:57               
  Inode    : 34930859                          , 35480722                          

File: /sbin/losetup
  Ctime    : 2005-10-01 13:18:16               , 2005-11-08 20:52:57               
  Inode    : 34930860                          , 35480723                          

File: /sbin/swapoff
  Ctime    : 2005-10-01 13:18:16               , 2005-11-08 20:52:57               
  Inode    : 34930861                          , 35480724                          

File: /sbin/ifconfig
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931457                          , 35480725                          

File: /sbin/nameif
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931458                          , 35480726                          

File: /sbin/plipconfig
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931459                          , 35480727                          

File: /sbin/rarp
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931460                          , 35480728                          

File: /sbin/route
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931461                          , 35480729                          

File: /sbin/slattach
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931462                          , 35480730                          

File: /sbin/ipmaddr
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931463                          , 35480731                          

File: /sbin/iptunnel
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931464                          , 35480732                          

File: /sbin/mii-tool
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931465                          , 35480733                          

File: /sbin/shadowconfig
  Ctime    : 2005-08-11 16:27:23               , 2005-11-08 20:52:57               
  Inode    : 34930877                          , 35480734                          

File: /sbin/sysctl
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931467                          , 35480735                          

File: /sbin/init
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931129                          , 35480736                          

File: /sbin/halt
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931130                          , 35480737                          

File: /sbin/shutdown
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931131                          , 35480738                          

File: /sbin/runlevel
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931132                          , 35480739                          

File: /sbin/killall5
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931133                          , 35480740                          

File: /sbin/sulogin
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931430                          , 35480741                          

File: /sbin/bootlogd
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931431                          , 35480742                          

File: /sbin/reboot
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931432                          , 35480743                          

File: /sbin/poweroff
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931434                          , 35480744                          

File: /sbin/telinit
  Ctime    : 2005-08-11 16:27:45               , 2005-11-08 20:52:57               
  Inode    : 34931436                          , 35480745                          

File: /sbin/rmt
  Ctime    : 2005-08-11 16:27:47               , 2005-11-08 20:52:57               
  Inode    : 34931433                          , 35480746                          

File: /sbin/mkswap
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930862                          , 35480747                          

File: /sbin/hwclock
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930863                          , 35480748                          

File: /sbin/blockdev
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930864                          , 35480749                          

File: /sbin/raw
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930865                          , 35480750                          

File: /sbin/pivot_root
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930993                          , 35480751                          

File: /sbin/fsck.minix
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930994                          , 35480752                          

File: /sbin/fsck.cramfs
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930995                          , 35480753                          

File: /sbin/mkfs.minix
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930996                          , 35480754                          

File: /sbin/mkfs.cramfs
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930997                          , 35480755                          

File: /sbin/mkfs
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930998                          , 35480756                          

File: /sbin/cfdisk
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34930999                          , 35480757                          

File: /sbin/fdisk
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34931000                          , 35480758                          

File: /sbin/sfdisk
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34931001                          , 35480759                          

File: /sbin/getty
  Ctime    : 2005-10-01 13:18:19               , 2005-11-08 20:52:57               
  Inode    : 34931002                          , 35480760                          

File: /sbin/ipchains-restore
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931493                          , 35480761                          

File: /sbin/dhclient
  Ctime    : 2005-08-11 16:33:21               , 2005-11-08 20:52:57               
  Inode    : 34931266                          , 35480762                          

File: /sbin/ipchains
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931495                          , 35480763                          

File: /sbin/iptables
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931340                          , 35480764                          

File: /sbin/tc
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931360                          , 35480765                          

File: /sbin/ipchains-save
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931498                          , 35480766                          

File: /sbin/ipfwadm-wrapper
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931499                          , 35480767                          

File: /sbin/rtmon
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931267                          , 35480768                          

File: /sbin/rtacct
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931370                          , 35480769                          

File: /sbin/ip
  Ctime    : 2005-08-11 16:33:40               , 2005-11-08 20:52:57               
  Inode    : 34931372                          , 35480770                          

File: /sbin/iptables-restore
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931342                          , 35480771                          

File: /sbin/iptables-save
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931341                          , 35480772                          

File: /sbin/ip6tables-save
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931344                          , 35480773                          

File: /sbin/ip6tables
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931343                          , 35480774                          

File: /sbin/insmod_ksymoops_clean
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931352                          , 35480775                          

File: /sbin/ip6tables-restore
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931345                          , 35480776                          

File: /sbin/ippool
  Ctime    : 2005-08-11 16:29:41               , 2005-11-08 20:52:57               
  Inode    : 34931346                          , 35480777                          

File: /sbin/klogd
  Ctime    : 2005-08-11 16:29:43               , 2005-11-08 20:52:57               
  Inode    : 34931348                          , 35480778                          

File: /sbin/insmod
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931350                          , 35480779                          

File: /sbin/modinfo
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931351                          , 35480780                          

File: /sbin/kernelversion
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931353                          , 35480781                          

File: /sbin/genksyms
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931354                          , 35480782                          

File: /sbin/depmod
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931355                          , 35480783                          

File: /sbin/update-modules
  Ctime    : 2005-08-11 16:29:58               , 2005-11-08 20:52:57               
  Inode    : 34931356                          , 35480784                          

File: /sbin/rmmod
  Ctime    : 2005-08-11 16:29:59               , 2005-11-08 20:52:57               
  Inode    : 34931357                          , 35480785                          

File: /sbin/modprobe
  Ctime    : 2005-08-11 16:29:59               , 2005-11-08 20:52:57               
  Inode    : 34931359                          , 35480786                          

File: /sbin/lsmod
  Ctime    : 2005-08-11 16:29:59               , 2005-11-08 20:52:57               
  Inode    : 34931361                          , 35480787                          

File: /sbin/ksyms
  Ctime    : 2005-08-11 16:29:59               , 2005-11-08 20:52:57               
  Inode    : 34931363                          , 35480788                          

File: /sbin/kallsyms
  Ctime    : 2005-08-11 16:29:59               , 2005-11-08 20:52:57               
  Inode    : 34931368                          , 35480789                          

File: /sbin/quotacheck
  Ctime    : 2005-08-11 16:36:21               , 2005-11-08 20:52:57               
  Inode    : 34931373                          , 35480790                          

File: /sbin/quotaon
  Ctime    : 2005-08-11 16:36:21               , 2005-11-08 20:52:57               
  Inode    : 34931374                          , 35480791                          

File: /sbin/convertquota
  Ctime    : 2005-08-11 16:36:21               , 2005-11-08 20:52:57               
  Inode    : 34931375                          , 35480792                          

File: /sbin/quotaoff
  Ctime    : 2005-08-11 16:36:21               , 2005-11-08 20:52:57               
  Inode    : 34931376                          , 35480793                          

File: /sbin/syslogd
  Ctime    : 2005-08-11 16:29:43               , 2005-11-08 20:52:57               
  Inode    : 34931347                          , 35480794                          

File: /sbin/ipfwadm
  Ctime    : 2005-05-15 03:44:17               , 2005-11-08 20:52:57               
  Inode    : 34931527                          , 35480795                          

File: /sbin/pmap_dump
  Ctime    : 2005-08-11 17:48:35               , 2005-11-08 20:52:57               
  Inode    : 34931505                          , 35480796                          

File: /sbin/portmap
  Ctime    : 2005-08-11 17:48:35               , 2005-11-08 20:52:57               
  Inode    : 34931503                          , 35480797                          

File: /sbin/lnstat
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931362                          , 35480798                          

File: /sbin/netbug
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931365                          , 35480799                          

File: /sbin/nstat
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931369                          , 35480800                          

File: /sbin/pmap_set
  Ctime    : 2005-08-11 17:48:35               , 2005-11-08 20:52:57               
  Inode    : 34931506                          , 35480801                          

File: /sbin/ss
  Ctime    : 2005-08-11 16:33:39               , 2005-11-08 20:52:57               
  Inode    : 34931371                          , 35480802

ls -l Zeigt mir kein neues Datum an. Sehe das nur über aide

Kann es sein das ich Umgezogen bin auf eine andere Maschine mit meinem vServer?

Huschi · Nov 9, 2005

Normalerweise hinterläßt ein Hacker nicht solche Spuren. Ich kenne auch kein rootkit, welches wirklich jede Datei touched.
Da dermassen viel dabei ist könnte man fast sowas wie einen apt-get dist-upgrade vermuten.
Da die Inodes kontinuierlich aufsteigend vergeben worden sind, könnte es auch ein Festplatten-Aufräumdienst gewesen sein.
Schade, daß aide keine MD5-Nummern wie tripwire ausspuckt. Dann könnte man wirklich sehen, ob sich die Dateien geändert haben.

huschi.

Tobster · Nov 9, 2005

Aide spuckt Checksummen aus, aber nur wenn sich was geändert hat. Wenn ich apt-get update mache dann zeigt er mir zu jeder geänderten Datei die Checksummen.
ein Update habe ich nicht gemacht. Ich bin da sehr genau beim Tauschen der Database von aide nach dem Update.

Huschi · Nov 9, 2005

Tobster said:
Aide spuckt Checksummen aus, aber nur wenn sich was geändert hat.

D.h. das sich die Dateien sich nicht wirklich geändert haben, oder?
Also wurden lediglich die Inodes verändert.
Welches Programm macht denn sowas? Ein Defragmentierer vieleicht?
Welches Filesystem hast Du denn drauf? (ext2, ext3, ReiserFS, etc.)

huschi.

Tobster · Nov 9, 2005

ReiserFS habe ich. Ich entschuldige mich. Aber der Schock heute Morgen das sich so viel geändert hat hat viel Panik ausgelösst.

Ich habe kein solches Programm gestartet. Server4You vielleicht.

Tobster · Nov 10, 2005

Weiß Jemand was für ein Tool das gewesen sein kann? Soweit ich weiß kann das ReiserFS nicht defragmentiert werden oder so.

Server gehackt?

Tobster

Guest

djrick

Registered User

Tobster

Guest

Huschi

Moderator

Tobster

Guest

Tobster

Guest

Huschi

Moderator

Tobster

Guest

Huschi

Moderator

Tobster

Guest

Tobster

Guest

We value your privacy