/bin/login problems

[ManagerJay]

I began having problems logging into my server on 5 October, 2000. I dismissed this as a problem related to the software I had installed and was evaluating and didn't give it another thought until today when I was going through my logs.

In my logs, I found someone had accessed our FTP server for 9 minutes on 3 October. I was not able to determine what was uploaded or downloaded. If it helps, the IP address is 202.2212.22.10.

On October 5, I began recieving messages when I tried to run PICO or other programs, "Incorrect terminfo entry". I checked the $TERM entry and it was set to dumb so I changed it to Linux thinking that was the end of the problem. Wrong. Each time a user would log or, or I would login as root, the terminal type was set back to dumb.

While looking around this morning, I found some information at

http://www.securityfocus.com/archive/91/75558.

Basically, this is the same problem that I am having and I need some additional information so I can correct the problem.

I am running RedHat Linux 6.2. My /bin/login file has a date of 5 Oct and a size 12696.

What is the correct size of /bin/login? Mine is currently 12696. What RPM is the /bin/login file contained in so I can reinstall it?

Also, I have found a duplicate of the /bin/login file with a Sep 17 date in the /lib/ / directory. The /lib/ is followed by three spaces. Other files in the directory are install.sh, lib.tgz, login, s, statdx, synk3, upddos and wd.

Any suggestions would be greatly appreciated. Thanks in advance.



Jay
[sig][/sig]

 

[TheRAt]

I can answer some of the simple questions for you... first off, the login file in your /bin directory is got from the "util-linux" package... My particular installation uses "util-linux-2.10f-7"

The size of the file in my installation is about 20K (20452)

The date on my login is 7 March 2000.

Hope this was of some help...

:-( AV [sig]<p>AV<br><a href=mailto:tnedor@yahoo.com>tnedor@yahoo.com</a><br>[/sig]

 

[Cirvam]

You can also used the md5sum command to get the md5 hash of the binary and compare it to a good copy out of the install package.
I think most distros ship with a list of all the md5 hashes in a file [sig]<p> Erik<br><a href=mailto:cirvam@netzero.net>cirvam@netzero.net</a><br><a href= > </a><br>Looking to learn more about Linux, Apache, PHP and others.[/sig]

 

[fr3ak]

anytime you get a wrong termcap entry just do
&quot;export TERM=vt100&quot;
that wil fix it

 

[ManagerJay]

What has happened is that our server was hacked into from what appears to be ip address 202.212.22.10. Several files were put into the /lib/ / directory and executed.

Replacing the login file fixed the problem. If anyone would like to see the scripts that were used, please let me know.

Thanks for your help.



Jay [sig][/sig]

 

[chgwhat]

FYI
202.212.22.10 is owned by

http://www.e-besco.com

Domain E-BESCO.COM
Registrant Kanematsu Computer Systems LTD. Nissay Shiba 1-Choume Bldg., 1-12-7 Shiba Minato-ku, Tokyo 105-0014 Japan
Administration contact Atsumi, Kenji (KEAT9687) k.atsumi@kcs.ne.jp Nissay Shiba 1-Choume Bldg., 1-12-7 Shiba Minato-ku, Tokyo 105-0014 Japan (PH) 81-3-5441-5194 (FAX) 81-3-5441-5139
Technical contact Takei, Masakazu (MATA6587) hip@hip-web.com 2-51-9-704 Ikebukuro Toshima-ku, Tokyo 171-0014 Japan (PH) 813-5396-7322 (FAX) 813-5396-7323
Billing contact Takei, Masakazu (MATA4227) hip@hip-web.com 2-51-9-704 Ikebukuro Toshima-ku, Tokyo 171-0014 Japan (PH) 813-5396-7322 (FAX) 813-5396-7323
Email contact k.atsumi@kcs.ne.jp hip@hip-web.com hip@hip-web.com
[sig]<p> Tony ... aka chgwhat<br><a href=mailto:tony_b@technologist.com>tony_b@technologist.com</a><br><a href= > </a><br>When in doubt,,, Power out...[/sig]