Have I been hacked?

Have I been hacked?

Post by Jari Huovi » Tue, 15 May 2001 15:57:20



Hello!

I'm running FCheck every now and then to see if any files in my system
have been changed. Today FCheck found this:

WARNING: [bsd-box] /var/qmail/bin/qmail-local

Inode   Permissons      Size    Created On              Name

147$82  -rwx--x--x      40960   Dec 12 13:04 2000
/var/qmail/bin/qmail-local

** Was modified to reflect the following: **
147482  -rwx--x--x      40960   Dec 12 13:04 2000
/var/qmail/bin/qmail-local

It appears that one character of inode of file 'qmail-local' has
changed mysteriously from $ to 4. The only thing I can think of is
that someone has been changing the inode manually, and made a little
typo. However, cksum of qmail-local is identical to a reference
system.

I'm not too good at hunting down this kind of problems. Could anyone
please give me a little help? I need to know what could be causing
this kind of chaning on inode and how I could make shure my system is
intact.

Thanks! =)

- Jari

 
 
 

Have I been hacked?

Post by Jari Huovi » Tue, 15 May 2001 15:58:39


Hi again!

Forgot to mention that my system is OpenBSD 2.6.

- Jari

 
 
 

Have I been hacked?

Post by pe.. » Tue, 15 May 2001 16:08:18



> Hello!
> I'm running FCheck every now and then to see if any files in my system
> have been changed. Today FCheck found this:

Jari,
You have problems, but with FCheck.

inode identification is alwas a number ( all inodes are stored
in a "large array", and one specific inode is identified by a
number used as "index into inode-array")

Either FCheck fails sometimes ( which is bad ) or your system
silently corrupts data form you ( which is even more BAD )

peter h

Quote:> WARNING: [bsd-box] /var/qmail/bin/qmail-local
> Inode      Permissons      Size    Created On              Name
> 147$82     -rwx--x--x      40960   Dec 12 13:04 2000
> /var/qmail/bin/qmail-local
> ** Was modified to reflect the following: **
> 147482     -rwx--x--x      40960   Dec 12 13:04 2000
> /var/qmail/bin/qmail-local
> It appears that one character of inode of file 'qmail-local' has
> changed mysteriously from $ to 4. The only thing I can think of is
> that someone has been changing the inode manually, and made a little
> typo. However, cksum of qmail-local is identical to a reference
> system.
> I'm not too good at hunting down this kind of problems. Could anyone
> please give me a little help? I need to know what could be causing
> this kind of chaning on inode and how I could make shure my system is
> intact.
> Thanks! =)
> - Jari

--
Peter H?kanson        
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
           Remove "icke-reklam"and "invalid"  and it works.
 
 
 

Have I been hacked?

Post by Jari Huovi » Tue, 15 May 2001 16:30:47


Hi Peter!

Thanks! =) =) =)

I'm quite sure the problem is in hardware; it's a really old server
with a *very* old hard drive. Time to upgrade I gues... =)

Thanks again!

- Jari

 
 
 

Have I been hacked?

Post by Bill Vermilli » Mon, 21 May 2001 21:56:47




>Hello!
>I'm running FCheck every now and then to see if any files in my system
>have been changed. Today FCheck found this:
>WARNING: [bsd-box] /var/qmail/bin/qmail-local
>Inode       Permissons      Size    Created On              Name
>147$82      -rwx--x--x      40960   Dec 12 13:04 2000
>/var/qmail/bin/qmail-local
>** Was modified to reflect the following: **
>147482      -rwx--x--x      40960   Dec 12 13:04 2000
>/var/qmail/bin/qmail-local
>It appears that one character of inode of file 'qmail-local' has
>changed mysteriously from $ to 4. ...

Not really that strange if you know your ascii from a hole in the
ground :-)

4 is 0x34 and $ is 0x24  or another way

4 is 0011 0100
$ is 0010 0100   *****

        ^ - you have a bit flipped there.  Could be anyting
        from bad memory to just a bad read, or it could be
        that a bad write did it somewhere along the line.

You haven't been hacked but it could be a sign of hardware failure.

**** NOTE - probably 90% of the worlds computer users have
and ascii/bin/oct/hex convertor - but they just dont know it.
The 'calculator' in WinXX has a scientific mode that does it.

I just have a handy little Casio I paid $25 for well over 10 years
ago [CM-100 if you are interested] and keep it by the computer and
one in my briefcase.

Bill

--

 
 
 

1. Csh hacking -- having problems...

[ .globl    _newsfood, 512; ]

I'm doing a major upgrade to the Berkeley C shell (no flames, please;
I speak csh and sh fluently and have different uses for each one).  One
of the things I am implementing is a "push" builtin, which is supposed
to simply fork() and create an exact duplicate of the shell on top of itself.

In the older version of this shell (to which I have regrettably lost the
source), we used to do this for extended alterations of environment without
having to restart the damn thing (i.e. aliases and shell variables were
preserved).  It was easier than throwing it into a ( subshell ), and we
needed the interaction.

Now, never mind *why* I want to do this when there might be other solutions...
When the push command is entered, the following set of events occurs (assume
all necessary variables):

dopush()
{
    switch (fork()) {
    case -1:    /* error */
        setname("push");
        bferr("Couldn't fork!");
        return (1);
    case 0:     /* child */
        /* set $$ = getpid() */
        /* set process group to $$ */
        /* set tty process group to $$ */
        /* increment push level */
        return(0);
    default:    /* parent */
        wait(&exitstat);
        /* reset process group */
        /* reset terminal process group */
        return(exitstat);
    }

Now, the push() occurs fine (it forks and does all the necessary stuff).
HOWEVER:  As soon as I hit an interrupt, the pushed shell prints a prompt,
exits, and the original shell prints a prompt.

The thing that's confusing is that I don't know why the pushed shell is only
catching the interrupt once and then giving up.  It seems as though the
parent shell also gets the interrupt (which I didn't think would happen if
the process group gets reset).  I thought Berkeley signal handlers reset
themselves...?

This is a Pyramid running OSx 5.0b, under the BSD universe (essentially
BSD 4.2-and-a-half).
--
thought:  I ain't so damb dumn! | Your brand new kernel just dump core on you
war: Invalid argument           | And fsck can't find root inode 2
                                | Don't worry -- be happy...
...!{ucbvax,acad,uunet,amdahl,pyramid}!unisoft!greywolf

2. Unable to change Passwords ??

3. I already RTFM, but am still having problems

4. Dial-on-Demand hassles

5. I am having trouble with tcpip

6. UNINSTALLING LINUX

7. I am having problems with "fvwm2" or Xwindows

8. Sun 3.0.1 compilers under 4.x - I'm Completely Confused!

9. I am having trouble rebuilding xchat

10. Am I being hacked?

11. I am having problems with the 3c905 and the 3c509b with RH 5.0

12. am i hacked ??? / strange IP