topic Re: Syslog message time difference in Operating System - HP-UX

Syslog message time difference

Sanjay Tailor — Thu, 14 Sep 2000 20:31:14 GMT

Hello,

Below is a piece of my syslog:

Sep 14 15:34:10 u002 syslog: su : + tty?? root-ssi7
Sep 14 15:37:05 u002 syslog: su : + tty?? root-ssi7
Sep 14 14:58:29 u002 ftpd[13227]: connection from 131.193.141.59 at Thu Sep 14 0
Sep 14 14:58:29 u002 ftpd[13227]: User francis: Login incorrect
Sep 14 14:58:29 u002 ftpd[13227]: PORT
Sep 14 15:28:29 u002 ftpd[14073]: connection from 131.193.141.59 at Thu Sep 14 0
Sep 14 15:28:29 u002 ftpd[14073]: User francis: Login incorrect
Sep 14 15:28:29 u002 ftpd[14073]: PORT
Sep 14 16:57:59 u002 syslog: su : + tty?? root-ssi7
Sep 14 15:58:29 u002 ftpd[14673]: connection from 131.193.141.59 at Thu Sep 14 0
Sep 14 15:58:29 u002 ftpd[14673]: User francis: Login incorrect
Sep 14 15:58:29 u002 ftpd[14673]: PORT
Sep 14 17:00:18 u002 syslog: su : + tty??root-ssi7

I am concerned about the su entries. The timestamp is wrong. It is exactly 1 hour ahead. I have an entry ( last one) which says 17:00 but it is barely 16:00!!! How can this happen?

My other question is:

I have this command in my .sh.history file for root:

vi +/francis passwd

What does this command do?
I know I did not issue this command. I do have my application vendor come in as root when he has to. I am just concerned what this command does.

Thanks
Sanjay

Re: Syslog message time difference

Kofi ARTHIABAH — Fri, 15 Sep 2000 00:59:17 GMT

Sanjay:

From the looks of it, you should be very worried... First I would suggest that you take a loook at the following site:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

It would appear that your user francis is doing something less than honourable :) check your /etc/passwd file - he may have given himself a UID of 0 (ie equivalent to root) If you look at the PIDs of the ftpd, it looks like it is delaying logging.

What I would do is to user /var/adm/inetd.sec to block the suspicious IP address that is trying the ftp PORT command.
Next, you might want to look on your system for a trojan (check /var/spool/cron/crontabs ) for all files in the crontabs
Turn on verbose logging for ftpd (in your inetd.conf) do a man on ftpd
GET your installation media ready and backup your data. Verify that the data is valid and be prepared for Disaster recovery, if you find something less than decent.

BTW what timezone are you in? are you running ntp of some sort? is it possible that one of your users is changing the dates?

do a:

more /home/*/.sh_history
and look for any dubious actions. BTW bear in mind that if the system was indeed compromised, the culprit would have tried to clean up after...

Next, if you can get a machine on the same subnet on which to run ethereal or tcpdump, look at the traffic coming out/into the server... I would say use
netstat -a | grep LISTEN
to check for tcp ports that are open (in case there is trojan on your system)

most importantly, be prepared to kick into disaster recovery mode.

Re: Syslog message time difference

Tim Malnati — Fri, 15 Sep 2000 02:33:50 GMT

It appears that you may have a real security issue with user francis. To start with I would suggest that you immediately disable this user. Changing the password for the user is a good start. If you have others in your organization that have password changing ability, inform them not to allow him/her access and to refer that person to you so that you can get a direct explanation.

Re: Syslog message time difference

Denver Osborn — Fri, 15 Sep 2000 03:44:05 GMT

# vi +/francis passwd

This will do nothing more than open the passwd file (if in /etc) with the vi editor and place the curser at the first instance of the string "francis"

Maybe someone w/ superuser access went to modify this users account?

Re: Syslog message time difference

Alan Riggs — Fri, 15 Sep 2000 13:21:44 GMT

The su entries mean someone logged in as root changed to user ssi7. That does not seem dangerous to me.

As noted, the vi command indicates someone with root authority edited the passwd file. If it was not you, and if you do not share user management duties with anyone else, then I would check your passwd file very carefully. Do not check just the user francis -- more than one change may have been made.

Re: Syslog message time difference

Sanjay Tailor — Fri, 15 Sep 2000 13:30:17 GMT

Hello,

Thank you for your responses. I am not worried about the user francis. He is a trusted users and I can deactivate him whenever I wish. I am more concerned with the su entries. Their timestamp is wrong, in fact exactly one hour ahead of the HP clock. Actually, the timestamp on the ftp sessions is right. How can this happen?

I know that root is su'ing to ssi7 but there is no root user logged in at this time. I think that the application program ( ssi7) is doing this programmatically. Does this mean that this application ( ssi7) runs as root?

Thanks,

Re: Syslog message time difference

Vincente Fernandes — Mon, 18 Sep 2000 09:32:08 GMT

Yes the application ssi7 runs as root equivalent, you may need to find out why? Sometimes some of the programs/scripts in an applications automatically does an su to root to gather some data etc.

Re: Syslog message time difference

Tracey — Mon, 18 Sep 2000 10:52:20 GMT

I think you should check your timezone entries to make sure that they are correct. You should have a TZ variable set in your environment, just do an echo $TZ, also there is a timezone kernal parameter that you can view using sam.

Re: Syslog message time difference

Cheryl Griffin — Mon, 18 Sep 2000 11:42:22 GMT

Sanjay,
What you may be finding, is if the TZ (Timezone) variable is not set, it will default to EST5EDT.

This may mean that the /etc/profile or .profile does not have TZ set for the user.

Timezone is also set in the kernel with
# set_parms timezone

If everything checks out on the system settings, another point of failure is with applications to use TZ. You may need to set TZ using a shell wrapper that sources
/etc/TIMEZONE.

Best Wishes,
Cheryl
351501

Re: Syslog message time difference

James R. Ferguson — Mon, 18 Sep 2000 11:52:34 GMT

Sanjay:

In keeping with Cheryl's post, you might also want to look at this recent thread:

http://my1.itrc.hp.com/cm/QuestionAnswer/1,1150,0x609e0559ff7cd4118fef0090279cd0f9,00.html

...JRF...