Re: Security question regarding root email

[John Summerfied <debian@xxxxxxxxxxxxxxxxxxxxxx>]

Dotan Cohen wrote:
> I haven't read root's email in about a month. Now that I get around to
> it, I am suprised to see things that I have never seen before, such
> as:
>  --------------------- pam_unix Begin ------------------------
>  kde-np:
>     Unknown Entries:
>        session opened for user dotancohen by (uid=0): 1 Time(s)
>  ---------------------- pam_unix End -------------------------
>
>  --------------------- Smartd Begin ------------------------
>  **Unmatched Entries**
>  smartd received signal 15: Terminated
>  smartd is exiting (exit status 0)
>  ---------------------- Smartd End -------------------------
>
>  --------------------- Selinux Audit Begin ------------------------
>   Number of audit daemon starts: 1
>   Number of audit daemon stops: 2
>  *** Logs which could mean a bug ***
>     major=252 name_count=0: freeing multiple contexts (1)
>     major=113 name_count=0: freeing multiple contexts (2)
>  ---------------------- Selinux Audit End -------------------------
>
>  --------------------- SSHD Begin ------------------------
>  SSHD Killed: 1 Time(s)
>  SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.

>  ---------------------- SSHD End -------------------------
>
>  --------------------- httpd Begin ------------------------
>  Requests with error response codes
>     404 Not Found
>        /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
>        /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
>        /favicon.ico: 32 Time(s)
>        /javascript/HM_Arrays.js: 1 Time(s)
>        /javascript/HM_ScriptDOM.js: 1 Time(s)
>        /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
>        /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
>  ---------------------- httpd End -------------------------
>
>  --------------------- pam_unix Begin ------------------------
>  kde:
>     Unknown Entries:
>        session closed for user dotancohen: 3 Time(s)
>        session opened for user dotancohen by (uid=0): 3 Time(s)
This looks like you logging in and out three times.

>  kde-np:
>     Unknown Entries:
>        session closed for user dotancohen: 3 Time(s)
>        session opened for user dotancohen by (uid=0): 2 Time(s)
More, similar.
>  su:
>     Sessions Opened:
>        (uid=500) -> root: 3 Time(s)
You becoming root/
>  system-config-display:
Maybe you reconfigured your display?
>     Unknown Entries:
>        auth could not identify password for [root]: 1 Time(s)
>  ---------------------- pam_unix End -------------------------
>
>  --------------------- httpd Begin ------------------------
>  Requests with error response codes
>     403 Forbidden
>        /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
>        /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)

Some versions of awstats let the ungodly in. If you're not current you 
may have a problem,


>     404 Not Found
>        /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s)
>        /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s)
>        /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)

this looks like php bb stuff, some versions of which let the ungodly in.


>        /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s)
>        /blog/xmlrpc.php: 2 Time(s)
>        /blog/xmlsrv/xmlrpc.php: 2 Time(s)
>        /blogs/xmlsrv/xmlrpc.php: 2 Time(s)
>        /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s)
>        /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
>        /drupal/xmlrpc.php: 2 Time(s)
>        /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s)
>        /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s)
>        /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s)
>        /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s)
>        /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
>        /phpgroupware/xmlrpc.php: 2 Time(s)

One hopes you're in the rquisite lists for phpgroupware. I know it's 
big, you need to keep an eye out for problems and their fixes.


>        /wordpress/xmlrpc.php: 2 Time(s)
>        /xmlrpc.php: 4 Time(s)
>        /xmlrpc/xmlrpc.php: 2 Time(s)
>        /xmlsrv/xmlrpc.php: 2 Time(s)
>  ---------------------- httpd End -------------------------
>
>  --------------------- pam_unix Begin ------------------------
>  kde-np:
>     Unknown Entries:
>        session closed for user dotancohen: 2 Time(s)
>        session opened for user dotancohen by (uid=0): 1 Time(s)
This looks to me like you logging out.

>  su:
>     Sessions Opened:
>        (uid=500) -> root: 3 Time(s)
this looks like you becoming root three times.

>  ---------------------- pam_unix End -------------------------
>
> These are the most suspicious. If anyone could crarify on them a bit,
> i would appreciate it. Thank you!
>
> Dotan Cohen
> http://technology-sleuth.com/index.php
Hmm.


> %^


--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list