Hi,

rkhunter has turned up a new warning for me:

> Found warnings:
> [16:37:42] Checking for packet capturing applications... Warning
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /sbin/dhclient (4197) listening
> [16:37:43] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

The /bin/login hasn't shown up before. Is this something I need to
worry about?

Thanks,

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sat, 28 Jul 2007, Tyler Smith wrote:

> Hi,
>
> rkhunter has turned up a new warning for me:
>
>> Found warnings:
>> [16:37:42] Checking for packet capturing applications... Warning
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /sbin/dhclient (4197) listening
>> [16:37:43] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)
>
> The /bin/login hasn't shown up before. Is this something I need to
> worry about?
>
> Thanks,
>
> Tyler
>
>
> --

Normally /bin/login shouldn't be listening. A couple things you could do
to see if it is listneing is:
lsof -i -n | grep LISTEN
if it is listening, it should show up there. providing lsof hasnt been
comprimised.
if you have another machine available to you, run an nmap scan on it
like so:
nmap -sV hostname

if those show up true, it's likely that you have a rootkit installed and
should pull the network cable from the machine and rebuild.

jeff

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
>>> [16:37:43] Warning! Process /bin/login (3888) listening
>
> Normally /bin/login shouldn't be listening. A couple things you could do
> to see if it is listneing is:
> lsof -i -n | grep LISTEN

Here's what I got - no sign of /bin/login:

lsof -i -n | grep LISTEN
portmap 2578 daemon 4u IPv4 6938 TCP *:sunrpc (LISTEN)
rpc.statd 2603 statd 8u IPv4 7009 TCP *:37381 (LISTEN)
sshd 3026 root 3u IPv6 7668 TCP *:ssh (LISTEN)
exim4 3385 Debian-exim 3u IPv4 7971 TCP 127.0.0.1:smtp (LISTEN)
inetd 3661 root 4u IPv4 8254 TCP *:auth (LISTEN)
famd 3721 tyler 3u IPv4 8323 TCP 127.0.0.1:929 (LISTEN)
apache 3826 root 16u IPv4 9177 TCP *:www (LISTEN)
apache 3827 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3828 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3829 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3830 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3839 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 21000 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 21001 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 21002 www-data 16u IPv4 9177 TCP *:www (LISTEN)
identd 21568 identd 0u IPv4 8254 TCP *:auth (LISTEN)
identd 21568 identd 1u IPv4 8254 TCP *:auth (LISTEN)
identd 21568 identd 2u IPv4 8254 TCP *:auth (LISTEN)

> if it is listening, it should show up there. providing lsof hasnt been
> comprimised.
> if you have another machine available to you, run an nmap scan on it
> like so:
> nmap -sV hostname

I don't have another maching available. What do you think?

Cheers,

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sat, 28 Jul 2007, Tyler Smith wrote:

> On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
>>>> [16:37:43] Warning! Process /bin/login (3888) listening
>>
>> Normally /bin/login shouldn't be listening. A couple things you could do
>> to see if it is listneing is:
>> lsof -i -n | grep LISTEN
>
> Here's what I got - no sign of /bin/login:
>
> lsof -i -n | grep LISTEN
> portmap 2578 daemon 4u IPv4 6938 TCP *:sunrpc (LISTEN)
> rpc.statd 2603 statd 8u IPv4 7009 TCP *:37381 (LISTEN)
> sshd 3026 root 3u IPv6 7668 TCP *:ssh (LISTEN)
> exim4 3385 Debian-exim 3u IPv4 7971 TCP 127.0.0.1:smtp (LISTEN)
> inetd 3661 root 4u IPv4 8254 TCP *:auth (LISTEN)
> famd 3721 tyler 3u IPv4 8323 TCP 127.0.0.1:929 (LISTEN)
> apache 3826 root 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3827 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3828 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3829 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3830 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3839 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 21000 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 21001 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 21002 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> identd 21568 identd 0u IPv4 8254 TCP *:auth (LISTEN)
> identd 21568 identd 1u IPv4 8254 TCP *:auth (LISTEN)
> identd 21568 identd 2u IPv4 8254 TCP *:auth (LISTEN)
>
>> if it is listening, it should show up there. providing lsof hasnt been
>> comprimised.
>> if you have another machine available to you, run an nmap scan on it
>> like so:
>> nmap -sV hostname
>
> I don't have another maching available. What do you think?
>
> Cheers,
>
> Tyler
>

you could also try something like this:
lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that
is the process id that rkhunter is reporting listening)

do you have nmap installed on the local machine? you could run a nmap -sV
localhost against it and it should report back with something as well.

you can also install the debsums package, it will do a md5sum check
against installed packages.

also, what version of debian are you running? Is this machine behind a
firewall or do you have a firewall running on it? You may also

Jeff

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
> also, what version of debian are you running? Is this machine behind a
> firewall or do you have a firewall running on it? You may also

I'm running Lenny on a laptop, usually connected to various wireless
routers. I recently noticed that firestarter wasn't actually starting
automatically, something to do with the network not being up when I
boot, and I don't always remember to turn it on after I connect to the
wireless router. Also, even when I am running firestarter I have to
turn it off in order to access my university via vpn.

I've pasted the results of all the tests you suggested below. I don't
understand much, but the md5sum mis-match for the rkhunter files is
definitely worrying. Am I going to have to re-install?

Thanks,

Tyler


> you can also install the debsums package, it will do a md5sum check
> against installed packages.

root:chapter3# debsums -s
debsums: no md5sums for amarok-engines
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for bc
debsums: no md5sums for bin86
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: can't open cltl file /usr/share/doc/cltl/README.Debian (No such file or directory)
debsums: can't open cltl file /usr/share/doc/cltl/copyright (No such file or directory)
debsums: can't open cltl file /usr/share/doc/cltl/changelog.gz (No such file or directory)
debsums: no md5sums for console-data
debsums: no md5sums for dc
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for debian-policy
debsums: no md5sums for dict
debsums: no md5sums for doc-debian
debsums: can't open ebook-dev-alp file /usr/share/doc/ebook-dev-alp/advanced-linux-programming.pdf.gz (No such file or directory)
debsums: no md5sums for ed
debsums: no md5sums for figlet
debsums: no md5sums for g++
debsums: no md5sums for g77
debsums: no md5sums for gawk
debsums: no md5sums for gawk-doc
debsums: no md5sums for gnupg
debsums: no md5sums for gnuplot
debsums: no md5sums for gpgv
debsums: no md5sums for hibernate
debsums: no md5sums for initscripts
debsums: no md5sums for installation-guide-i386
debsums: no md5sums for installation-report
debsums: no md5sums for klogd
debsums: no md5sums for libaudio2
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libbz2-dev
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright
debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz
debsums: no md5sums for libgdbm3
debsums: no md5sums for libgsm1
debsums: no md5sums for libhdf4g
debsums: no md5sums for libident
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncurses5-dev
debsums: no md5sums for libncursesw5
debsums: no md5sums for libnetcdf3
debsums: no md5sums for libvolume-id0
debsums: no md5sums for lynx
debsums: no md5sums for make-doc
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for mount
debsums: no md5sums for mpack
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for ncurses-term
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.cfg
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prcounters.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/preview.sty
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prfootnotes.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prlyx.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowbox.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowlabels.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtightpage.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtracingall.def
debsums: no md5sums for r-recommended
debsums: no md5sums for rcs
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/mirrors.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/os.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/programs_good.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/defaulthashes.dat
debsums: no md5sums for rsync
debsums: no md5sums for ssh
debsums: no md5sums for strace
debsums: no md5sums for sun-java5-fonts
debsums: no md5sums for sun-java5-plugin
debsums: no md5sums for svgalibg1
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for udev
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux
debsums: no md5sums for whois

>>
>
> you could also try something like this:
> lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that
> is the process id that rkhunter is reporting listening)

root:chapter3# lsof -n -p 3888
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
login 3888 root cwd DIR 0,13 4040 955 /dev
login 3888 root rtd DIR 8,3 4096 2 /
login 3888 root txt REG 8,3 35204 193543 /bin/login
login 3888 root mem REG 8,3 38416 532977 /lib/i686/cmov/libnss_files-2.6.so
login 3888 root mem REG 8,3 34352 532979 /lib/i686/cmov/libnss_nis-2.6.so
login 3888 root mem REG 8,3 30436 532975 /lib/i686/cmov/libnss_compat-2.6.so
login 3888 root mem REG 8,3 220764 596845 /lib/libsepol.so.1
login 3888 root mem REG 8,3 83512 597381 /lib/libselinux.so.1
login 3888 root mem REG 8,3 83712 532974 /lib/i686/cmov/libnsl-2.6.so
login 3888 root mem REG 8,3 9708 598622 /lib/security/pam_mail.so
login 3888 root mem REG 8,3 4244 598624 /lib/security/pam_motd.so
login 3888 root mem REG 8,3 9696 532987 /lib/i686/cmov/libutil-2.6.so
login 3888 root mem REG 8,3 8640 598618 /lib/security/pam_lastlog.so
login 3888 root mem REG 8,3 17204 598619 /lib/security/pam_limits.so
login 3888 root mem REG 8,3 51484 598645 /lib/security/pam_unix.so
login 3888 root mem REG 8,3 9684 532935 /lib/i686/cmov/libdl-2.6.so
login 3888 root mem REG 8,3 1331968 532932 /lib/i686/cmov/libc-2.6.so
login 3888 root mem REG 8,3 8264 598609 /lib/libpam_misc.so.0.79
login 3888 root mem REG 8,3 29700 596838 /lib/libpam.so.0.79
login 3888 root mem REG 8,3 21908 532934 /lib/i686/cmov/libcrypt-2.6.so
login 3888 root mem REG 8,3 11024 596837 /lib/libcap.so.1.10
login 3888 root mem REG 8,3 11232 598616 /lib/security/pam_group.so
login 3888 root mem REG 8,3 10372 598613 /lib/security/pam_env.so
login 3888 root mem REG 8,3 5908 598625 /lib/security/pam_nologin.so
login 3888 root mem REG 8,3 7144 598629 /lib/security/pam_securetty.so
login 3888 root mem REG 8,3 117336 774195 /lib/ld-2.6.so
login 3888 root 0u CHR 4,1 1059 /dev/tty1
login 3888 root 1u CHR 4,1 1059 /dev/tty1
login 3888 root 2u CHR 4,1 1059 /dev/tty1
login 3888 root 4r REG 8,3 1237 517938 /etc/passwd
login 3888 root 5u unix 0xf7ddac80 9347 socket
root:chapter3#

root:chapter3# lsof -n -p `pidof login` | sed s/\ /\,/g
COMMAND,,PID,USER,,,FD,,,TYPE,,,,,DEVICE,,,,SIZE,, ,NODE,NAME
login,,,3888,root,,cwd,,,,DIR,,,,,,,0,13,,,,4040,, ,,955,/dev
login,,,3888,root,,rtd,,,,DIR,,,,,,,,8,3,,,,4096,, ,,,,2,/
login,,,3888,root,,txt,,,,REG,,,,,,,,8,3,,,35204,1 93543,/bin/login
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,38416,5 32977,/lib/i686/cmov/libnss_files-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,34352,5 32979,/lib/i686/cmov/libnss_nis-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,30436,5 32975,/lib/i686/cmov/libnss_compat-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,220764,5 96845,/lib/libsepol.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83512,5 97381,/lib/libselinux.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83712,5 32974,/lib/i686/cmov/libnsl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9708,5 98622,/lib/security/pam_mail.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,4244,5 98624,/lib/security/pam_motd.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9696,5 32987,/lib/i686/cmov/libutil-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8640,5 98618,/lib/security/pam_lastlog.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,17204,5 98619,/lib/security/pam_limits.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,51484,5 98645,/lib/security/pam_unix.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9684,5 32935,/lib/i686/cmov/libdl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,1331968,5 32932,/lib/i686/cmov/libc-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8264,5 98609,/lib/libpam_misc.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,29700,5 96838,/lib/libpam.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,21908,5 32934,/lib/i686/cmov/libcrypt-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11024,5 96837,/lib/libcap.so.1.10
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11232,5 98616,/lib/security/pam_group.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,10372,5 98613,/lib/security/pam_env.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,5908,5 98625,/lib/security/pam_nologin.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,7144,5 98629,/lib/security/pam_securetty.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,117336,7 74195,/lib/ld-2.6.so
login,,,3888,root,,,,0u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1
login,,,3888,root,,,,1u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1
login,,,3888,root,,,,2u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1
login,,,3888,root,,,,4r,,,REG,,,,,,,,8,3,,,,1237,5 17938,/etc/passwd
login,,,3888,root,,,,5u,,unix,0xf7ddac80,,,,,,,,,, ,9347,socket
root:chapter3#

>

> do you have nmap installed on the local machine? you could run a nmap -sV
> localhost against it and it should report back with something as well.

root:chapter3# nmap -sV localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.67
80/tcp open http Apache httpd 1.3.34 ((Debian))
111/tcp open rpcbind 2 (rpc #100000)
113/tcp open ident OpenBSD identd
929/tcp open unknown
Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds
root:chapter3#




>
>
> Jeff
>
> -+-
> 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sat, 29 Jul 2007, Tyler Smith wrote:

> On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
>> also, what version of debian are you running? Is this machine behind a
>> firewall or do you have a firewall running on it? You may also
>
> I'm running Lenny on a laptop, usually connected to various wireless
> routers. I recently noticed that firestarter wasn't actually starting
> automatically, something to do with the network not being up when I
> boot, and I don't always remember to turn it on after I connect to the
> wireless router. Also, even when I am running firestarter I have to
> turn it off in order to access my university via vpn.
>
> I've pasted the results of all the tests you suggested below. I don't
> understand much, but the md5sum mis-match for the rkhunter files is
> definitely worrying. Am I going to have to re-install?
>
> Thanks,
>
> Tyler
>
>
>> you can also install the debsums package, it will do a md5sum check
>> against installed packages.
>

> root:chapter3# debsums -s

<SNIP tons of debsum output>

> debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright
> debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz
>

<SNIP lsof output>

>>
>
>> do you have nmap installed on the local machine? you could run a nmap -sV
>> localhost against it and it should report back with something as well.
>
> root:chapter3# nmap -sV localhost
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT
> Interesting ports on localhost (127.0.0.1):
> Not shown: 1691 closed ports
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0)
> 25/tcp open smtp Exim smtpd 4.67
> 80/tcp open http Apache httpd 1.3.34 ((Debian))
> 111/tcp open rpcbind 2 (rpc #100000)
> 113/tcp open ident OpenBSD identd
> 929/tcp open unknown
> Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD
>
> Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
> Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds
> root:chapter3#
>

>From the looks of it, it could have just been a false positive. ive seen
rkhunter report a few, not very often though. I'd run rkhunter again,
install chkrootkit, run that, see if the two match up.

As far as debsums reporting back on the rkhunter files, those will
probably not match, as they can get updated.


-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
>
>>From the looks of it, it could have just been a false positive. ive seen
> rkhunter report a few, not very often though. I'd run rkhunter again,
> install chkrootkit, run that, see if the two match up.
>
> As far as debsums reporting back on the rkhunter files, those will
> probably not match, as they can get updated.
>

I ran rkhunter again, and then for good measure I aptitude --purged
it, reinstalled, and ran again. And then I thought maybe the whole
thing was compromised, so I purged it again, installed rkhunter 1.30
from sourceforge, and ran again. And I also ran chkrootkit. In all
cases they showed nothing happening, except for warning me that some
of my /bin executables had been replaced by scripts -- stuff like
egrep, fgrep etc.

So perhaps it was just a false positive. I'm going to read up on
security stuff now, so maybe I'll have some idea how to proceed the
next time.

Thanks for your ,

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:

> I ran rkhunter again, and then for good measure I aptitude --purged
> it, reinstalled, and ran again. And then I thought maybe the whole
> thing was compromised, so I purged it again, installed rkhunter 1.30
> from sourceforge, and ran again. And I also ran chkrootkit. In all
> cases they showed nothing happening, except for warning me that some
> of my /bin executables had been replaced by scripts -- stuff like
> egrep, fgrep etc.
>
> So perhaps it was just a false positive. I'm going to read up on
> security stuff now, so maybe I'll have some idea how to proceed the
> next time.
>

Its tricky. If you have been rooted, you can't trust anything on the
system, including aptitude. As for reading, try the package harden-doc.

Good luck.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-29, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
> On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
>> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
>
>> I ran rkhunter again, and then for good measure I aptitude --purged
>> it, reinstalled, and ran again. And then I thought maybe the whole
>> thing was compromised, so I purged it again, installed rkhunter 1.30
>> from sourceforge, and ran again. And I also ran chkrootkit. In all
>> cases they showed nothing happening, except for warning me that some
>> of my /bin executables had been replaced by scripts -- stuff like
>> egrep, fgrep etc.
>>
>> So perhaps it was just a false positive. I'm going to read up on
>> security stuff now, so maybe I'll have some idea how to proceed the
>> next time.
>>
>
> Its tricky. If you have been rooted, you can't trust anything on the
> system, including aptitude. As for reading, try the package harden-doc.
>

That's what I was thinking. But is there any way a rootkit could
interfere with my downloading and compiling from source? I was hoping
that doing things 'by hand' would limit the possibilities for
compromising the result.

I will look at harden-doc. I'm working through the Linux how-to
security quick start at the moment.

Thanks,

Tyler



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 29 Jul 2007 13:47:30 GMT
Tyler Smith <tyler.smith@mail.mcgill.ca> wrote:

> On 2007-07-29, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
> > On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
> >> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
> >
> >> I ran rkhunter again, and then for good measure I aptitude --purged
> >> it, reinstalled, and ran again. And then I thought maybe the whole
> >> thing was compromised, so I purged it again, installed rkhunter 1.30
> >> from sourceforge, and ran again. And I also ran chkrootkit. In all
> >> cases they showed nothing happening, except for warning me that some
> >> of my /bin executables had been replaced by scripts -- stuff like
> >> egrep, fgrep etc.
> >>
> >> So perhaps it was just a false positive. I'm going to read up on
> >> security stuff now, so maybe I'll have some idea how to proceed the
> >> next time.
> >>
> >
> > Its tricky. If you have been rooted, you can't trust anything on the
> > system, including aptitude. As for reading, try the package harden-doc.
> >
>
> That's what I was thinking. But is there any way a rootkit could
> interfere with my downloading and compiling from source? I was hoping
> that doing things 'by hand' would limit the possibilities for
> compromising the result.

In theory, certainly. Your downloading agent is probably invoking
system libraries, which may be compromised and substituting bad
source. The system may not even be running your download agent at
all! Or it may subsequently lie to you and assure you that it's
running the downloaded app when it really isn't. Whether all this is
at all plausible is a different question.

> I will look at harden-doc. I'm working through the Linux how-to
> security quick start at the moment.
>
> Thanks,
>
> Tyler

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> That's what I was thinking. But is there any way a rootkit could
> interfere with my downloading and compiling from source?

Of course. They could have trojaned any of the tools you would use. _No_
software on a rooted box can be trusted. Including the shell.
--
John Hasler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-29, Celejar <celejar@gmail.com> wrote:
>>
>> That's what I was thinking. But is there any way a rootkit could
>> interfere with my downloading and compiling from source? I was hoping
>> that doing things 'by hand' would limit the possibilities for
>> compromising the result.
>
> In theory, certainly. Your downloading agent is probably invoking
> system libraries, which may be compromised and substituting bad
> source. The system may not even be running your download agent at
> all! Or it may subsequently lie to you and assure you that it's
> running the downloaded app when it really isn't. Whether all this is
> at all plausible is a different question.
>

So if I'm compromised nothing is safe, and the only guaranteed way to
clear this up is to format my harddrive and reinstall. Given that the
only evidence of a problem is a warning about /bin/login listening
from rkhunter, which happened only once, and I have had no other
problems with my net connection or general performance of my laptop,
let alone mysterious withdrawals from my bank account or other signs
of stolen passwords, what should I be doing?

>From the advice received and what I'm reading, I'm getting two very
different messages - I must reinstall to be 100% certain that I'm
safe, and while I can't be 100% certain I'm safe it's pretty unlikely
that I have a real problem.

What would you do in my situation?

Thanks,

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 29, 2007 at 03:56:08PM +0000, Tyler Smith wrote:

> So if I'm compromised nothing is safe, and the only guaranteed way to
> clear this up is to format my harddrive and reinstall. Given that the
> only evidence of a problem is a warning about /bin/login listening
> from rkhunter, which happened only once, and I have had no other
> problems with my net connection or general performance of my laptop,
> let alone mysterious withdrawals from my bank account or other signs
> of stolen passwords, what should I be doing?
>
> >From the advice received and what I'm reading, I'm getting two very
> different messages - I must reinstall to be 100% certain that I'm
> safe, and while I can't be 100% certain I'm safe it's pretty unlikely
> that I have a real problem.
>
> What would you do in my situation?
>

Try this:

Boot the box from something like the install CD, go to a shell, mount
your / partition ro, noexec.

I think the install CD has md5sum installed. Run:
#md5sum /bin/login.

On my i386, I get:

2ee32ff74e474c4d9fc9df6f1460980f /bin/login

If /bin/login is fine, then I'd forget about it.
If it differs, I'd wipe the drive and reinstall; from backups before
your first indication of a problem. Then examine the difference between
that backup's data and your most recent backup.

Actually, to put your mind at ease, I've attached a file bin-MD5SUMS
which is the output of:

$md5sum /bin/* > bin-MD5SUMS

Put this onto a floppy and mount it when you boot your install CD. Then
edit it so that, for example the /bin/login reads /mnt/bin/login.

You can then verify the whole /bin with
#md5sum -c bin-MD5SUMS

Here's the file, and good luck.

Doug.

On Sun, Jul 29, 2007 at 03:56:08PM +0000, Tyler Smith wrote:

> So if I'm compromised nothing is safe, and the only guaranteed way to
> clear this up is to format my harddrive and reinstall. Given that the
> only evidence of a problem is a warning about /bin/login listening
> from rkhunter, which happened only once, and I have had no other
> problems with my net connection or general performance of my laptop,
> let alone mysterious withdrawals from my bank account or other signs
> of stolen passwords, what should I be doing?
>
> >From the advice received and what I'm reading, I'm getting two very
> different messages - I must reinstall to be 100% certain that I'm
> safe, and while I can't be 100% certain I'm safe it's pretty unlikely
> that I have a real problem.
>
> What would you do in my situation?
>

Try this:

Boot the box from something like the install CD, go to a shell, mount
your / partition ro, noexec.

I think the install CD has md5sum installed. Run:
#md5sum /bin/login.

On my i386, I get:

2ee32ff74e474c4d9fc9df6f1460980f /bin/login

If /bin/login is fine, then I'd forget about it.
If it differs, I'd wipe the drive and reinstall; from backups before
your first indication of a problem. Then examine the difference between
that backup's data and your most recent backup.

Actually, to put your mind at ease, I've attached a file bin-MD5SUMS
which is the output of:

$md5sum /bin/* > bin-MD5SUMS

Put this onto a floppy and mount it when you boot your install CD. Then
edit it so that, for example the /bin/login reads /mnt/bin/login.

You can then verify the whole /bin with
#md5sum -c bin-MD5SUMS

Here's the file, and good luck.

Doug.

Hi Douglas.

Douglas Allan Tutty, 29.07.2007 18:35:
> Boot the box from something like the install CD, go to a shell, mount
> your / partition ro, noexec.
>
> I think the install CD has md5sum installed. Run:
> #md5sum /bin/login.
>
> On my i386, I get:
>
> 2ee32ff74e474c4d9fc9df6f1460980f /bin/login

You should also tell the exact version of the "login" package you are using.
Otherwise this number is useless.

With 1:4.0.18.1-11 on i386 I get this:

> 004a41bb9196f1888bd89c2245910f46 /bin/login


Regards, Mathias

--
debian/rules


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGrMLlYfUFJ3ewsJgRAuspAKCJiZXSV7YferuL8QgLYa +U/gHmIgCeM325
FzSSUe0yGpIN7Ndf6J+ce4Y=
=3bU2
-----END PGP SIGNATURE-----

On Sun, Jul 29, 2007 at 06:40:05PM +0200, Mathias Brodala wrote:

> You should also tell the exact version of the "login" package you are using.
> Otherwise this number is useless.

Sorry. Stock, up-to-date Etch. Aptitude shows it as version
1:4.0.18.1-7.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 2007-07-29, Mathias Brodala <info@noctus.net> wrote:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enig6620D8D79CB50A9B1AFF7AB2
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> Hi Douglas.
>
> Douglas Allan Tutty, 29.07.2007 18:35:
>> Boot the box from something like the install CD, go to a shell, mount
>> your / partition ro, noexec.
>>=20
>> I think the install CD has md5sum installed. Run:
>> #md5sum /bin/login.
>>=20
>> On my i386, I get:
>>=20
>> 2ee32ff74e474c4d9fc9df6f1460980f /bin/login
>
> You should also tell the exact version of the "login" package you are usi=
> ng.
> Otherwise this number is useless.
>
> With 1:4.0.18.1-11 on i386 I get this:
>
>> 004a41bb9196f1888bd89c2245910f46 /bin/login
>

Which is just what I got too. I found an old Mepis CD, booted into
that, mounted my / partition, ran md5sum on /bin/login, and out came
the same answer, for the same version of /bin/login.

So I'm going to proceed as if I've been lucky, have not been
rootkit-ed, and will continue on with hardening my laptop without
reinstalling.

Thanks for your !

Tyler


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, 29 Jul 2007, Tyler Smith wrote:

> On 2007-07-29, Mathias Brodala <info@noctus.net> wrote:
>> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
>> --------------enig6620D8D79CB50A9B1AFF7AB2
>> Content-Type: text/plain; charset=UTF-8
>> Content-Transfer-Encoding: quoted-printable
>>
>> Hi Douglas.
>>
>> Douglas Allan Tutty, 29.07.2007 18:35:
>>> Boot the box from something like the install CD, go to a shell, mount
>>> your / partition ro, noexec.
>>> =20
>>> I think the install CD has md5sum installed. Run:
>>> #md5sum /bin/login.
>>> =20
>>> On my i386, I get:
>>> =20
>>> 2ee32ff74e474c4d9fc9df6f1460980f /bin/login
>>
>> You should also tell the exact version of the "login" package you are usi=
>> ng.
>> Otherwise this number is useless.
>>
>> With 1:4.0.18.1-11 on i386 I get this:
>>
>>> 004a41bb9196f1888bd89c2245910f46 /bin/login
>>
>
> Which is just what I got too. I found an old Mepis CD, booted into
> that, mounted my / partition, ran md5sum on /bin/login, and out came
> the same answer, for the same version of /bin/login.
>
> So I'm going to proceed as if I've been lucky, have not been
> rootkit-ed, and will continue on with hardening my laptop without
> reinstalling.
>
> Thanks for your !
>
> Tyler
>

On that note, one thing that you might want to consider as part of the
hardening process is to install aide or some other file integrity checker.
Using something like that greatly s in detecting and identifying issues
such as this.


-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 29, 2007 at 12:44:56PM -0700, Jeff D wrote:
> On that note, one thing that you might want to consider as part of the
> hardening process is to install aide or some other file integrity checker.
> Using something like that greatly s in detecting and identifying issues
> such as this.

I use samhain. However, since a compromised system can't reliably check
for an intrusion, I use it as a check agains JFS. Since JFS doesn't
journal data (just meta-data), it is possible that after a power
failure, a file may be missing. Samhain would detect this.

For security, you should have the samhain on a live-CD or something with
the checksums stored on a CD or USB stick.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org