Hello all,
Last night had an issue with a server where the switch port became flooded (leaving the server) (I have a 10Mbps switch and it was up to 1250 K/s). Anyhow, I logged into the server and the only thing I could do was restart it (since I could not find anything relavent in the logs).
rkhunter and chkrootkit came up with nothing, then, this morning I get this message:
[hackcheck] net-tools failed checksum test
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package net-tools did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.
Modified Files:
S.?..... /bin/hostname
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/netplugd
S.?..... /sbin/plipconfig
S.?..... /sbin/route
S.?..... /sbin/slattach
And from upcp I get
prelink: Could not write temporary for /bin/hostname: cannot write data to file
prelink: Could not write temporary for /bin/netstat: cannot write data to file
prelink: Could not write temporary for /sbin/arp: cannot write data to file
prelink: Could not write temporary for /sbin/ifconfig: cannot write data to file
prelink: Could not write temporary for /sbin/ipmaddr: cannot write data to file
prelink: Could not write temporary for /sbin/iptunnel: cannot write data to file
prelink: Could not write temporary for /sbin/mii-tool: cannot write data to file
prelink: Could not write temporary for /sbin/nameif: cannot write data to file
prelink: Could not write temporary for /sbin/netplugd: cannot write data to file
prelink: Could not write temporary for /sbin/plipconfig: cannot write data to file
prelink: Could not write temporary for /sbin/route: cannot write data to file
prelink: Could not write temporary for /sbin/slattach: cannot write data to file
net-tools fails checksum !!!
^^ but this could be due to the backup mountpoint not being mounted after reboot and / got filled up to 100%
Then, in /var/log/messages I have these (right around the time everything blew up):
Sep 12 20:05:02 XXXX kernel: printk: 6 messages suppressed.
Sep 12 20:05:02 XXXX kernel: ip_conntrack: table full, dropping packet.
Sep 12 20:05:08 XXXX kernel: printk: 3 messages suppressed.
Sep 12 20:05:08 XXXX kernel: ip_conntrack: table full, dropping packet.
Sep 12 20:05:12 XXXX kernel: printk: 4 messages suppressed.
And a bunch of lines like this:
Sep 12 21:10:47 XXXX stunnel: LOG5[10724:3085990832]: cpanelhttps connected from 209.67.114.35:40140
Sep 12 21:10:47 XXXX stunnel: LOG5[10724:3085990832]: Connection closed: 4747 bytes sent to SSL, 83 bytes sent to socket
^^ all from the same IP, 2 per second
Has anyone experienced something like this before?
Thanks!
Last night had an issue with a server where the switch port became flooded (leaving the server) (I have a 10Mbps switch and it was up to 1250 K/s). Anyhow, I logged into the server and the only thing I could do was restart it (since I could not find anything relavent in the logs).
rkhunter and chkrootkit came up with nothing, then, this morning I get this message:
[hackcheck] net-tools failed checksum test
IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm
package net-tools did not match the expected checksum. This could mean that
your system was compromised (OwN3D). The offending files have been removed
and replaced with the OS default. To be safe you should verify that your
system has not be compromised.
Modified Files:
S.?..... /bin/hostname
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/netplugd
S.?..... /sbin/plipconfig
S.?..... /sbin/route
S.?..... /sbin/slattach
And from upcp I get
prelink: Could not write temporary for /bin/hostname: cannot write data to file
prelink: Could not write temporary for /bin/netstat: cannot write data to file
prelink: Could not write temporary for /sbin/arp: cannot write data to file
prelink: Could not write temporary for /sbin/ifconfig: cannot write data to file
prelink: Could not write temporary for /sbin/ipmaddr: cannot write data to file
prelink: Could not write temporary for /sbin/iptunnel: cannot write data to file
prelink: Could not write temporary for /sbin/mii-tool: cannot write data to file
prelink: Could not write temporary for /sbin/nameif: cannot write data to file
prelink: Could not write temporary for /sbin/netplugd: cannot write data to file
prelink: Could not write temporary for /sbin/plipconfig: cannot write data to file
prelink: Could not write temporary for /sbin/route: cannot write data to file
prelink: Could not write temporary for /sbin/slattach: cannot write data to file
net-tools fails checksum !!!
^^ but this could be due to the backup mountpoint not being mounted after reboot and / got filled up to 100%
Then, in /var/log/messages I have these (right around the time everything blew up):
Sep 12 20:05:02 XXXX kernel: printk: 6 messages suppressed.
Sep 12 20:05:02 XXXX kernel: ip_conntrack: table full, dropping packet.
Sep 12 20:05:08 XXXX kernel: printk: 3 messages suppressed.
Sep 12 20:05:08 XXXX kernel: ip_conntrack: table full, dropping packet.
Sep 12 20:05:12 XXXX kernel: printk: 4 messages suppressed.
And a bunch of lines like this:
Sep 12 21:10:47 XXXX stunnel: LOG5[10724:3085990832]: cpanelhttps connected from 209.67.114.35:40140
Sep 12 21:10:47 XXXX stunnel: LOG5[10724:3085990832]: Connection closed: 4747 bytes sent to SSL, 83 bytes sent to socket
^^ all from the same IP, 2 per second
Has anyone experienced something like this before?
Thanks!