Slapper Worm

0

0

На сервере периодически запускается chkrootkit, нашел в его логе следующую строку:

Warning: Possible Slapper Worm installed !

Через поисковики нашел имена тел червяка: .baqtraq.c, .baqtraq, .uubaqtraq, по описанию тела червя должны быть в разделе /tmp, искал в корневом каталоге - ничего нет.

Хитрый червь или chkrootkit глючит ?

Ссылка

←	Postfix_sasl

автозапуск сендмыла не под рутом

→

А попробуй запустить егов expert mode и посмотреть, почему он так думает.

ivlad ★★★★★
(23.09.03 10:33:04 MSD)

Ссылка

Может, у тебя radius стоит?

anonymous
(23.09.03 10:38:41 MSD)

Ссылка

Slapper Worm again

to oxonian:

много что пишет :)

* * *

Warning: "%s" is not listed in /etc/shells %s: /etc/gpm-twiddler.conf:%i: Warning: Chord "%s%s%s" redefined Warning: cannot open %s (%s). Limited output. Warning: the meaning of `-H' will change in the future to conform to POSIX. +|-w Warnings (%s) Warning: cannot open %s (%s). Limited output. Warning: Identity file %s does not exist. Warning: Remote host refused compression. Warning: Remote host failed or refused to allocate a pseudo tty. Warning: Remote host denied X11 forwarding. Warning: Remote host denied authentication agent forwarding. Warning: Permanently added the %s host key for IP address '%.128s' to the list of known hosts. Warning: Permanently added '%.200s' (%s) to the list of known hosts. Warning: the %s host key for '%.200s' differs from the key for the IP address '%.128s' Warning: Server lies about size of server public key: actual size is %d bits vs. announced %d. Warning: This may be due to an old implementation of ssh. Warning: Server lies about size of server host key: actual size is %d bits vs. announced %d. Warning: ssh server tried X11 forwarding. Warning: this is probably a break in attempt by a malicious server. Warning: ssh server tried agent forwarding. Warning: identity keysize mismatch: actual %d, announced %u Warning: Server denied remote port forwarding. Warning: use of DES is strongly discouraged due to cryptographic weaknesses Warning: %s, line %d: keysize mismatch for host %s: actual %d vs. announced %d. Warning: replace %d with %d in %s, line %d. X-Authentication-Warning Warning: .cf version level (%d) exceeds sendmail version %s functionality (%d) Warning: HostStatusDirectory disabled with ConnectionCacheSize = 0 Warning: HostStatusDirectory required for SingleThreadDelivery Warning: .cf file is out of date: sendmail %s supports version %d, .cf file is version %d Authentication-Warning: %.400s Warning: alias database %s out of date Warning: mailer %s: LMTP flag (F=z) turned off Warning: could not send message for past %s Warning: message still undelivered after %s Warning: truncated header '%s' before check with '%s' len=%d max=%d 050 Warning: duplicate alias name %s Warning: The "ldapx" map class is deprecated and will be removed in a future Warning: regex may cause prescan() failure map=%s lookup=%s Warning: option %c unknown Warning: option 0x%x unknown M%s: Warning: P=[TCP] is deprecated, use P=[IPC] instead M%s: Warning: first argument in %s mailer must be %s Warning: MustQuoteChars too long, ignored. Warning: OperatorChars is being redefined. Warning: MaxMimeHeaderLength: header length limit set lower than 128 Warning: MaxMimeHeaderLength: field length limit set lower than 40 Warning: MaxHeadersLength: headers length limit set lower than %d Warning: Option: %s unknown parameter '%c' Warning: Option: %s requires TLS support Warning: Warning: client selects unsupported cipher. Warning: keysize mismatch for client_host_key: actual %d, announced %d Warning: Your password has expired, please change it now Warning: %s, line %lu: keysize mismatch: actual %d vs. announced %d. Warning: Server denied remote port forwarding. Warning: ssh server tried agent forwarding. Warning: ssh server tried X11 forwarding. Warning: this is probably a break in attempt by a malicious server. Warning: use of DES is strongly discouraged due to cryptographic weaknesses Warning: %s, line %d: keysize mismatch for host %s: actual %d vs. announced %d. Warning: replace %d with %d in %s, line %d. Warning: identity keysize mismatch: actual %d, announced %u %s: Warning: ip checksums disabled %s: Warning: %s has multiple addresses; using %s Warning: Possible Slapper Worm installed

* * *

to anonymous:

не похоже, через whereis radius ничего не нашел.

x97Rang ★★★
(23.09.03 22:18:01 MSD) автор топика

Ссылка

при таком форматировании фиг поймешь. ;) а какая версия openssl у тебя? И странно, что chrootkit он не нравится...

ivlad ★★★★★
(24.09.03 05:59:15 MSD)

Ссылка

worms

версия SSH-1.99-OpenSSH_3.1p1

к тому же при коннекте на ssh выдает алерт сообщение , стоит AVP на серваке drweb, сканит по cron каждый день, ничего не находит.

а вот лог подробней

warning: summarizing is the same as using --max-depth=0 warning: summarizing conflicts with --max-depth=%d warning: unrecognized escape `\%c' warning: unrecognized format directive `%%%c' warning: %s: %s warning: cannot change directory to %s warning: no inet socket available: %s warning /dev warnings %s; warning, got bogus igmp6 line %d. warning, got bogus igmp line %d. warning, got bogus unix line. warning, got bogus tcp line. warning, got bogus udp line. warning, got bogus raw line. warning: no inet socket available: %s warning: %s does not contain required field %s warning warning number of days warning users receives before password expiration (root only) -q Quiet; don't display any warning messages. warning: cannot lock %s: %s x-authentication-warning authwarnings Postmaster warning: %.*s warning-timeout Postmaster warning: postmaster-warning warning warning warning Warning: Possible Slapper Worm installed

x97Rang ★★★
(24.09.03 19:08:10 MSD) автор топика