okay, quick background:

i have two slack boxes setup, one handles the dialup and has a firewall/ipchains script - and the other is connected through ethernet (the LAN)

but here is the deal:

i often sift through my /var/log/messages , and on my routing machine i see something similar to this

[identd]: connection from xxx.yyy.xxx.yyy
[identd]: blah blah
*and an occasional telnet
[telnetd.in]: telnet connection from ???.???.???.???

which i am guessing that most of those are because of irc..
but last night i went through the log of the computer on my network (LAN side (192.168.xxx.xxx)) and i saw ONE, and ONLY ONE

[identd]: man-xx-xx-xxx-my-ISP
[identd]: ??? isn't this weird?

maybe not, but i will say that one night - around that date - i was playing with ipchains, and didn't really have anything blocked for a small period of time..

and to make things worse, about four days after the date in the log..(today), my computers can't ping eachother.. with some weird
Network is Unreachable : Ping something something.. (about twelve lines of..)
and i found my 'passwd' file sitting in /
that was the part that scared me.. hmmm.. i just don't know (i have been in the process of installed port sentry and logcheck, i might just reinstall for piece of mind.. any ideas though???
and thanks for reading this far..

knix :confused:

Never had the problem myself.

Most here would suggest you reinstall and setup a secure firewall. Disable any services you don't need.

ya.. someone told me to use pmfirewall..

i did have some ipchains rules setup for a basic firewall.. and i think i had all services turned off that i wasn't using (telnet, ftp, http, etc).. but one weird thing i saw in /var/log/messages was

[telnetd.in]: connection from ???.???.???.???

does this mean that my telnet port was probed, or that someone actually logged in to it?.. hmmm, i think i am going to have to reinstall anyways..

"Connection from" is just that, a connection. Not a login.

Those connections to your telnet port while you're on IRC are probably irc servers probing for wingates.

The identd connection... Well, that's a bit strange. I would expect to see that from an IRC server... But it could have been anything you were connecting to. I generally shut off identd.

What ftp daemon are you running? What other ports did you have open?

That passwd file in / would definitely concern me!

:eek:

i think starting up from a fresh install may be a good idea.

its the only way to be sure when something this strange goes on.

Reminds me of the day i logged on and found the
/H@H@ directory on my system.

I don't know if this has anything to do with the problem, but it's worth a thought. Are you running bind DNS? I just received this email from my ISP :(the passsword file caught my attention in your post)

March 23, 2001 7:00 AM

Late last night, the SANS Institute (through its Global Incident
Analysis Center) uncovered a dangerous new worm that appears to be
spreading rapidly across the Internet. It scans the Internet looking
for Linux computers with a known vulnerability. It infects the
vulnerable machines, steals the password file (sending it to a
China.com site), installs other hacking tools, and forces the newly
infected machine to begin scanning the Internet looking for other
victims.

Several experts from the security community worked through the night to
decompose the worm's code and engineer a utility to help you discover
if the Lion worm has affected your organization.

Updates to this announcement will be posted at the SANS web site, http://www.sans.org


DESCRIPTION

The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously. It
infects Linux machines running the BIND DNS server. It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
2001.

The Lion worm spreads via an application called "randb". Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name". It then installs the t0rn rootkit.

Once Lion has compromised a system, it:

- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
network settings to an address in the china.com domain.
- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.
- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
inetd, see /etc/inetd.conf)
- - Installs a trojaned version of ssh that listens on 33568/tcp
- - Kills Syslogd , so the logging on the system can't be trusted
- - Installs a trojaned version of login
- - Looks for a hashed password in /etc/ttyhash
- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.

The t0rn rootkit replaces several binaries on the system in order to
stealth itself. Here are the binaries that it replaces:

du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top

- - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
and /usr/man/man1/man1/lib/.lib/.
- - in.telnetd is also placed in these directories; its use is not known
at this time.
- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x

DETECTION AND REMOVAL

We have developed a utility called Lionfind that will detect the Lion
files on an infected system. Simply download it, uncompress it, and
run lionfind. This utility will list which of the suspect files is on
the system.

At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.

Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz


REFERENCES

Further information can be found at:
http://www.sans.org/current.htm http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
The following vendor update pages may help you in fixing the original BIND
vulnerability:

Redhat Linux RHSA-2001:007-03 - Bind remote exploit http://www.redhat.com/support/errata/RHSA-2001-007.html
Debian GNU/Linux DSA-026-1 BIND http://www.debian.org/security/2001/dsa-026
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt

This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.

The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.

Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis

Matt Fearnow
SANS GIAC Incident Handler

If you have additional data on this worm or a critical quetsion please
email lionworm@sans.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

-Merlyn