On Feb 7, 2011, at 10:14 AM, m.roth at 5-cent.us wrote: > Nicolas Ross wrote: >> Hi ! >> >> I think one of my machine got hacked, but I can figure out from where... >> >> I found some suspicious file in /bin and /usr/bin directories that are >> owned >> by user id 122, where this machine doesn't a userid 122. >> >> So, does anyone hav a centos 3.9 install arround that can send me the info > > One of our investigators has collaborators around the world, on old > machines, so we have this: > 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux > Note they may be different on your machine. >> about (filesize, md5, modification date) these file : >> >> /bin : >> ls >> netstat >> ps > > -rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls > -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat > -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps > > e102f6c3dde4043908ed001e1587b1d2 /bin/ls > bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat > fc3369b3564e00f877387a13bf3f467a /bin/ps > >> >> /usr/bin/ >> dir >> find >> md5sum >> pstree >> slocate >> tee >> top > > -rwxr-xr-x 1 root root 67700 Jun 12 2007 /usr/bin/dir > -rwxr-xr-x 1 root root 51028 Jan 11 2006 /usr/bin/find > -rwxr-xr-x 1 root root 29184 Jun 12 2007 /usr/bin/md5sum > -rwxr-xr-x 1 root root 14048 Apr 28 2006 /usr/bin/pstree > > 0df0aafb355df40b1137355dd354f172 /usr/bin/dir > 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find > 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum > 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree > 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate > 4ed536310a845f274f6a1611773789d8 /usr/bin/tee > 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top > > <snip> > > Hope this helps. > > mark Our internal, not internet connected fully patch Cent 3 box exactly matches what Mark posted. [dkrause at rigil bin]$ ls -lat ls netstat ps -rwxr-xr-x 1 root root 67700 Jun 12 2007 ls -rwxr-xr-x 1 root root 83800 May 22 2007 netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 ps e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps [dkrause at rigil bin]$ ls -la dir find md5sum pstree slocate tee top -rwxr-xr-x 1 root root 67700 Jun 12 2007 dir -rwxr-xr-x 1 root root 51028 Jan 11 2006 find -rwxr-xr-x 1 root root 29184 Jun 12 2007 md5sum -rwxr-xr-x 1 root root 14048 Apr 28 2006 pstree -rwxr-sr-x 1 root slocate 32480 Sep 28 2005 slocate -rwxr-xr-x 1 root root 12220 Jun 12 2007 tee -r-xr-xr-x 1 root root 48052 Apr 19 2006 top 0df0aafb355df40b1137355dd354f172 dir 2c5f4e789da1ad8d19ce5c68ecf8261d find 03174f884e7fc5fbc215780819679f6e md5sum 224f527255b2c8deb44f692eaadc873d pstree 0cee754c3981ba5f527bedc9a8cbea2a slocate 4ed536310a845f274f6a1611773789d8 tee 6b42bf37296861c657fcf6b8dba8f675 top Good luck! -- Don Krause -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4657 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20110207/0d30bcbe/attachment-0005.p7s>