/bin/login listening?

28/07/2007, 20h40

Hi,

rkhunter has turned up a new warning for me:

> Found warnings:
> [16:37:42] Checking for packet capturing applications... Warning
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /bin/login (3888) listening
> [16:37:43] Warning! Process /sbin/dhclient (4197) listening
> [16:37:43] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

The /bin/login hasn't shown up before. Is this something I need to
worry about?

Thanks,

Tyler

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 21h40

On Sat, 28 Jul 2007, Tyler Smith wrote:

> Hi,
>
> rkhunter has turned up a new warning for me:
>
>> Found warnings:
>> [16:37:42] Checking for packet capturing applications... Warning
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /bin/login (3888) listening
>> [16:37:43] Warning! Process /sbin/dhclient (4197) listening
>> [16:37:43] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)
>
> The /bin/login hasn't shown up before. Is this something I need to
> worry about?
>
> Thanks,
>
> Tyler
>
>
> --

Normally /bin/login shouldn't be listening. A couple things you could do
to see if it is listneing is:
lsof -i -n | grep LISTEN
if it is listening, it should show up there. providing lsof hasnt been
comprimised.
if you have another machine available to you, run an nmap scan on it
like so:
nmap -sV hostname

if those show up true, it's likely that you have a rootkit installed and
should pull the network cable from the machine and rebuild.

jeff

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 22h30

On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
>>> [16:37:43] Warning! Process /bin/login (3888) listening
>
> Normally /bin/login shouldn't be listening. A couple things you could do
> to see if it is listneing is:
> lsof -i -n | grep LISTEN

Here's what I got - no sign of /bin/login:

lsof -i -n | grep LISTEN
portmap 2578 daemon 4u IPv4 6938 TCP *:sunrpc (LISTEN)
rpc.statd 2603 statd 8u IPv4 7009 TCP *:37381 (LISTEN)
sshd 3026 root 3u IPv6 7668 TCP *:ssh (LISTEN)
exim4 3385 Debian-exim 3u IPv4 7971 TCP 127.0.0.1:smtp (LISTEN)
inetd 3661 root 4u IPv4 8254 TCP *:auth (LISTEN)
famd 3721 tyler 3u IPv4 8323 TCP 127.0.0.1:929 (LISTEN)
apache 3826 root 16u IPv4 9177 TCP *:www (LISTEN)
apache 3827 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3828 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3829 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3830 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 3839 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 21000 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 21001 www-data 16u IPv4 9177 TCP *:www (LISTEN)
apache 21002 www-data 16u IPv4 9177 TCP *:www (LISTEN)
identd 21568 identd 0u IPv4 8254 TCP *:auth (LISTEN)
identd 21568 identd 1u IPv4 8254 TCP *:auth (LISTEN)
identd 21568 identd 2u IPv4 8254 TCP *:auth (LISTEN)

> if it is listening, it should show up there. providing lsof hasnt been
> comprimised.
> if you have another machine available to you, run an nmap scan on it
> like so:
> nmap -sV hostname

I don't have another maching available. What do you think?

Cheers,

Tyler

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 23h10

On Sat, 28 Jul 2007, Tyler Smith wrote:

> On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
>>>> [16:37:43] Warning! Process /bin/login (3888) listening
>>
>> Normally /bin/login shouldn't be listening. A couple things you could do
>> to see if it is listneing is:
>> lsof -i -n | grep LISTEN
>
> Here's what I got - no sign of /bin/login:
>
> lsof -i -n | grep LISTEN
> portmap 2578 daemon 4u IPv4 6938 TCP *:sunrpc (LISTEN)
> rpc.statd 2603 statd 8u IPv4 7009 TCP *:37381 (LISTEN)
> sshd 3026 root 3u IPv6 7668 TCP *:ssh (LISTEN)
> exim4 3385 Debian-exim 3u IPv4 7971 TCP 127.0.0.1:smtp (LISTEN)
> inetd 3661 root 4u IPv4 8254 TCP *:auth (LISTEN)
> famd 3721 tyler 3u IPv4 8323 TCP 127.0.0.1:929 (LISTEN)
> apache 3826 root 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3827 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3828 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3829 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3830 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 3839 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 21000 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 21001 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> apache 21002 www-data 16u IPv4 9177 TCP *:www (LISTEN)
> identd 21568 identd 0u IPv4 8254 TCP *:auth (LISTEN)
> identd 21568 identd 1u IPv4 8254 TCP *:auth (LISTEN)
> identd 21568 identd 2u IPv4 8254 TCP *:auth (LISTEN)
>
>> if it is listening, it should show up there. providing lsof hasnt been
>> comprimised.
>> if you have another machine available to you, run an nmap scan on it
>> like so:
>> nmap -sV hostname
>
> I don't have another maching available. What do you think?
>
> Cheers,
>
> Tyler
>

you could also try something like this:
lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that
is the process id that rkhunter is reporting listening)

do you have nmap installed on the local machine? you could run a nmap -sV
localhost against it and it should report back with something as well.

you can also install the debsums package, it will do a md5sum check
against installed packages.

also, what version of debian are you running? Is this machine behind a
firewall or do you have a firewall running on it? You may also

Jeff

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 04h20

On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
> also, what version of debian are you running? Is this machine behind a
> firewall or do you have a firewall running on it? You may also

I'm running Lenny on a laptop, usually connected to various wireless
routers. I recently noticed that firestarter wasn't actually starting
automatically, something to do with the network not being up when I
boot, and I don't always remember to turn it on after I connect to the
wireless router. Also, even when I am running firestarter I have to
turn it off in order to access my university via vpn.

I've pasted the results of all the tests you suggested below. I don't
understand much, but the md5sum mis-match for the rkhunter files is
definitely worrying. Am I going to have to re-install?

Thanks,

Tyler

> you can also install the debsums package, it will do a md5sum check
> against installed packages.

root:chapter3# debsums -s
debsums: no md5sums for amarok-engines
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for bc
debsums: no md5sums for bin86
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: can't open cltl file /usr/share/doc/cltl/README.Debian (No such file or directory)
debsums: can't open cltl file /usr/share/doc/cltl/copyright (No such file or directory)
debsums: can't open cltl file /usr/share/doc/cltl/changelog.gz (No such file or directory)
debsums: no md5sums for console-data
debsums: no md5sums for dc
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for debian-policy
debsums: no md5sums for dict
debsums: no md5sums for doc-debian
debsums: can't open ebook-dev-alp file /usr/share/doc/ebook-dev-alp/advanced-linux-programming.pdf.gz (No such file or directory)
debsums: no md5sums for ed
debsums: no md5sums for figlet
debsums: no md5sums for g++
debsums: no md5sums for g77
debsums: no md5sums for gawk
debsums: no md5sums for gawk-doc
debsums: no md5sums for gnupg
debsums: no md5sums for gnuplot
debsums: no md5sums for gpgv
debsums: no md5sums for hibernate
debsums: no md5sums for initscripts
debsums: no md5sums for installation-guide-i386
debsums: no md5sums for installation-report
debsums: no md5sums for klogd
debsums: no md5sums for libaudio2
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libbz2-dev
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright
debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz
debsums: no md5sums for libgdbm3
debsums: no md5sums for libgsm1
debsums: no md5sums for libhdf4g
debsums: no md5sums for libident
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncurses5-dev
debsums: no md5sums for libncursesw5
debsums: no md5sums for libnetcdf3
debsums: no md5sums for libvolume-id0
debsums: no md5sums for lynx
debsums: no md5sums for make-doc
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for mount
debsums: no md5sums for mpack
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for ncurses-term
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.cfg
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prcounters.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/preview.sty
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prfootnotes.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prlyx.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowbox.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowlabels.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtightpage.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtracingall.def
debsums: no md5sums for r-recommended
debsums: no md5sums for rcs
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/mirrors.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/os.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/programs_good.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/defaulthashes.dat
debsums: no md5sums for rsync
debsums: no md5sums for ssh
debsums: no md5sums for strace
debsums: no md5sums for sun-java5-fonts
debsums: no md5sums for sun-java5-plugin
debsums: no md5sums for svgalibg1
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for udev
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux
debsums: no md5sums for whois

>>
>
> you could also try something like this:
> lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that
> is the process id that rkhunter is reporting listening)

root:chapter3# lsof -n -p 3888
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
login 3888 root cwd DIR 0,13 4040 955 /dev
login 3888 root rtd DIR 8,3 4096 2 /
login 3888 root txt REG 8,3 35204 193543 /bin/login
login 3888 root mem REG 8,3 38416 532977 /lib/i686/cmov/libnss_files-2.6.so
login 3888 root mem REG 8,3 34352 532979 /lib/i686/cmov/libnss_nis-2.6.so
login 3888 root mem REG 8,3 30436 532975 /lib/i686/cmov/libnss_compat-2.6.so
login 3888 root mem REG 8,3 220764 596845 /lib/libsepol.so.1
login 3888 root mem REG 8,3 83512 597381 /lib/libselinux.so.1
login 3888 root mem REG 8,3 83712 532974 /lib/i686/cmov/libnsl-2.6.so
login 3888 root mem REG 8,3 9708 598622 /lib/security/pam_mail.so
login 3888 root mem REG 8,3 4244 598624 /lib/security/pam_motd.so
login 3888 root mem REG 8,3 9696 532987 /lib/i686/cmov/libutil-2.6.so
login 3888 root mem REG 8,3 8640 598618 /lib/security/pam_lastlog.so
login 3888 root mem REG 8,3 17204 598619 /lib/security/pam_limits.so
login 3888 root mem REG 8,3 51484 598645 /lib/security/pam_unix.so
login 3888 root mem REG 8,3 9684 532935 /lib/i686/cmov/libdl-2.6.so
login 3888 root mem REG 8,3 1331968 532932 /lib/i686/cmov/libc-2.6.so
login 3888 root mem REG 8,3 8264 598609 /lib/libpam_misc.so.0.79
login 3888 root mem REG 8,3 29700 596838 /lib/libpam.so.0.79
login 3888 root mem REG 8,3 21908 532934 /lib/i686/cmov/libcrypt-2.6.so
login 3888 root mem REG 8,3 11024 596837 /lib/libcap.so.1.10
login 3888 root mem REG 8,3 11232 598616 /lib/security/pam_group.so
login 3888 root mem REG 8,3 10372 598613 /lib/security/pam_env.so
login 3888 root mem REG 8,3 5908 598625 /lib/security/pam_nologin.so
login 3888 root mem REG 8,3 7144 598629 /lib/security/pam_securetty.so
login 3888 root mem REG 8,3 117336 774195 /lib/ld-2.6.so
login 3888 root 0u CHR 4,1 1059 /dev/tty1
login 3888 root 1u CHR 4,1 1059 /dev/tty1
login 3888 root 2u CHR 4,1 1059 /dev/tty1
login 3888 root 4r REG 8,3 1237 517938 /etc/passwd
login 3888 root 5u unix 0xf7ddac80 9347 socket
root:chapter3#

root:chapter3# lsof -n -p `pidof login` | sed s/\ /\,/g
COMMAND,,PID,USER,,,FD,,,TYPE,,,,,DEVICE,,,,SIZE,, ,NODE,NAME
login,,,3888,root,,cwd,,,,DIR,,,,,,,0,13,,,,4040,, ,,955,/dev
login,,,3888,root,,rtd,,,,DIR,,,,,,,,8,3,,,,4096,, ,,,,2,/
login,,,3888,root,,txt,,,,REG,,,,,,,,8,3,,,35204,1 93543,/bin/login
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,38416,5 32977,/lib/i686/cmov/libnss_files-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,34352,5 32979,/lib/i686/cmov/libnss_nis-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,30436,5 32975,/lib/i686/cmov/libnss_compat-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,220764,5 96845,/lib/libsepol.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83512,5 97381,/lib/libselinux.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83712,5 32974,/lib/i686/cmov/libnsl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9708,5 98622,/lib/security/pam_mail.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,4244,5 98624,/lib/security/pam_motd.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9696,5 32987,/lib/i686/cmov/libutil-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8640,5 98618,/lib/security/pam_lastlog.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,17204,5 98619,/lib/security/pam_limits.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,51484,5 98645,/lib/security/pam_unix.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9684,5 32935,/lib/i686/cmov/libdl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,1331968,5 32932,/lib/i686/cmov/libc-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8264,5 98609,/lib/libpam_misc.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,29700,5 96838,/lib/libpam.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,21908,5 32934,/lib/i686/cmov/libcrypt-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11024,5 96837,/lib/libcap.so.1.10
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11232,5 98616,/lib/security/pam_group.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,10372,5 98613,/lib/security/pam_env.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,5908,5 98625,/lib/security/pam_nologin.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,7144,5 98629,/lib/security/pam_securetty.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,117336,7 74195,/lib/ld-2.6.so
login,,,3888,root,,,,0u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1
login,,,3888,root,,,,1u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1
login,,,3888,root,,,,2u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1
login,,,3888,root,,,,4r,,,REG,,,,,,,,8,3,,,,1237,5 17938,/etc/passwd
login,,,3888,root,,,,5u,,unix,0xf7ddac80,,,,,,,,,, ,9347,socket
root:chapter3#

>

> do you have nmap installed on the local machine? you could run a nmap -sV
> localhost against it and it should report back with something as well.

root:chapter3# nmap -sV localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.67
80/tcp open http Apache httpd 1.3.34 ((Debian))
111/tcp open rpcbind 2 (rpc #100000)
113/tcp open ident OpenBSD identd
929/tcp open unknown
Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds
root:chapter3#

>
>
> Jeff
>
> -+-
> 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.
>
>

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 08h00

On Sat, 29 Jul 2007, Tyler Smith wrote:

> On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
>> also, what version of debian are you running? Is this machine behind a
>> firewall or do you have a firewall running on it? You may also
>
> I'm running Lenny on a laptop, usually connected to various wireless
> routers. I recently noticed that firestarter wasn't actually starting
> automatically, something to do with the network not being up when I
> boot, and I don't always remember to turn it on after I connect to the
> wireless router. Also, even when I am running firestarter I have to
> turn it off in order to access my university via vpn.
>
> I've pasted the results of all the tests you suggested below. I don't
> understand much, but the md5sum mis-match for the rkhunter files is
> definitely worrying. Am I going to have to re-install?
>
> Thanks,
>
> Tyler
>
>
>> you can also install the debsums package, it will do a md5sum check
>> against installed packages.
>

> root:chapter3# debsums -s

<SNIP tons of debsum output>

> debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright
> debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz
>

<SNIP lsof output>

>>
>
>> do you have nmap installed on the local machine? you could run a nmap -sV
>> localhost against it and it should report back with something as well.
>
> root:chapter3# nmap -sV localhost
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT
> Interesting ports on localhost (127.0.0.1):
> Not shown: 1691 closed ports
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0)
> 25/tcp open smtp Exim smtpd 4.67
> 80/tcp open http Apache httpd 1.3.34 ((Debian))
> 111/tcp open rpcbind 2 (rpc #100000)
> 113/tcp open ident OpenBSD identd
> 929/tcp open unknown
> Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD
>
> Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
> Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds
> root:chapter3#
>

>From the looks of it, it could have just been a false positive. ive seen
rkhunter report a few, not very often though. I'd run rkhunter again,
install chkrootkit, run that, see if the two match up.

As far as debsums reporting back on the rkhunter files, those will
probably not match, as they can get updated.

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 14h20

On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
>
>>From the looks of it, it could have just been a false positive. ive seen
> rkhunter report a few, not very often though. I'd run rkhunter again,
> install chkrootkit, run that, see if the two match up.
>
> As far as debsums reporting back on the rkhunter files, those will
> probably not match, as they can get updated.
>

I ran rkhunter again, and then for good measure I aptitude --purged
it, reinstalled, and ran again. And then I thought maybe the whole
thing was compromised, so I purged it again, installed rkhunter 1.30
from sourceforge, and ran again. And I also ran chkrootkit. In all
cases they showed nothing happening, except for warning me that some
of my /bin executables had been replaced by scripts -- stuff like
egrep, fgrep etc.

So perhaps it was just a false positive. I'm going to read up on
security stuff now, so maybe I'll have some idea how to proceed the
next time.

Thanks for your ,

Tyler

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 14h30

On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:

> I ran rkhunter again, and then for good measure I aptitude --purged
> it, reinstalled, and ran again. And then I thought maybe the whole
> thing was compromised, so I purged it again, installed rkhunter 1.30
> from sourceforge, and ran again. And I also ran chkrootkit. In all
> cases they showed nothing happening, except for warning me that some
> of my /bin executables had been replaced by scripts -- stuff like
> egrep, fgrep etc.
>
> So perhaps it was just a false positive. I'm going to read up on
> security stuff now, so maybe I'll have some idea how to proceed the
> next time.
>

Its tricky. If you have been rooted, you can't trust anything on the
system, including aptitude. As for reading, try the package harden-doc.

Good luck.

Doug.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 21h40	#2
Jeff D Messages: n/a Hébergeur:	Re: /bin/login listening? On Sat, 28 Jul 2007, Tyler Smith wrote: > Hi, > > rkhunter has turned up a new warning for me: > >> Found warnings: >> [16:37:42] Checking for packet capturing applications... Warning >> [16:37:43] Warning! Process /bin/login (3888) listening >> [16:37:43] Warning! Process /bin/login (3888) listening >> [16:37:43] Warning! Process /bin/login (3888) listening >> [16:37:43] Warning! Process /bin/login (3888) listening >> [16:37:43] Warning! Process /sbin/dhclient (4197) listening >> [16:37:43] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory) > > The /bin/login hasn't shown up before. Is this something I need to > worry about? > > Thanks, > > Tyler > > > -- Normally /bin/login shouldn't be listening. A couple things you could do to see if it is listneing is: lsof -i -n \| grep LISTEN if it is listening, it should show up there. providing lsof hasnt been comprimised. if you have another machine available to you, run an nmap scan on it like so: nmap -sV hostname if those show up true, it's likely that you have a rootkit installed and should pull the network cable from the machine and rebuild. jeff -+- 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 22h30	#3
Tyler Smith Messages: n/a Hébergeur:	Re: /bin/login listening? On 2007-07-28, Jeff D <fixedored@gmail.com> wrote: >>> [16:37:43] Warning! Process /bin/login (3888) listening > > Normally /bin/login shouldn't be listening. A couple things you could do > to see if it is listneing is: > lsof -i -n \| grep LISTEN Here's what I got - no sign of /bin/login: lsof -i -n \| grep LISTEN portmap 2578 daemon 4u IPv4 6938 TCP :sunrpc (LISTEN) rpc.statd 2603 statd 8u IPv4 7009 TCP :37381 (LISTEN) sshd 3026 root 3u IPv6 7668 TCP :ssh (LISTEN) exim4 3385 Debian-exim 3u IPv4 7971 TCP 127.0.0.1:smtp (LISTEN) inetd 3661 root 4u IPv4 8254 TCP :auth (LISTEN) famd 3721 tyler 3u IPv4 8323 TCP 127.0.0.1:929 (LISTEN) apache 3826 root 16u IPv4 9177 TCP :www (LISTEN) apache 3827 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 3828 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 3829 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 3830 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 3839 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 21000 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 21001 www-data 16u IPv4 9177 TCP :www (LISTEN) apache 21002 www-data 16u IPv4 9177 TCP :www (LISTEN) identd 21568 identd 0u IPv4 8254 TCP :auth (LISTEN) identd 21568 identd 1u IPv4 8254 TCP :auth (LISTEN) identd 21568 identd 2u IPv4 8254 TCP :auth (LISTEN) > if it is listening, it should show up there. providing lsof hasnt been > comprimised. > if you have another machine available to you, run an nmap scan on it > like so: > nmap -sV hostname I don't have another maching available. What do you think? Cheers, Tyler -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 23h10	#4
Jeff D Messages: n/a Hébergeur:	Re: /bin/login listening? On Sat, 28 Jul 2007, Tyler Smith wrote: > On 2007-07-28, Jeff D <fixedored@gmail.com> wrote: >>>> [16:37:43] Warning! Process /bin/login (3888) listening >> >> Normally /bin/login shouldn't be listening. A couple things you could do >> to see if it is listneing is: >> lsof -i -n \| grep LISTEN > > Here's what I got - no sign of /bin/login: > > lsof -i -n \| grep LISTEN > portmap 2578 daemon 4u IPv4 6938 TCP :sunrpc (LISTEN) > rpc.statd 2603 statd 8u IPv4 7009 TCP :37381 (LISTEN) > sshd 3026 root 3u IPv6 7668 TCP :ssh (LISTEN) > exim4 3385 Debian-exim 3u IPv4 7971 TCP 127.0.0.1:smtp (LISTEN) > inetd 3661 root 4u IPv4 8254 TCP :auth (LISTEN) > famd 3721 tyler 3u IPv4 8323 TCP 127.0.0.1:929 (LISTEN) > apache 3826 root 16u IPv4 9177 TCP :www (LISTEN) > apache 3827 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 3828 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 3829 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 3830 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 3839 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 21000 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 21001 www-data 16u IPv4 9177 TCP :www (LISTEN) > apache 21002 www-data 16u IPv4 9177 TCP :www (LISTEN) > identd 21568 identd 0u IPv4 8254 TCP :auth (LISTEN) > identd 21568 identd 1u IPv4 8254 TCP :auth (LISTEN) > identd 21568 identd 2u IPv4 8254 TCP :auth (LISTEN) > >> if it is listening, it should show up there. providing lsof hasnt been >> comprimised. >> if you have another machine available to you, run an nmap scan on it >> like so: >> nmap -sV hostname > > I don't have another maching available. What do you think? > > Cheers, > > Tyler > you could also try something like this: lsof -n -p `pidof login \| sed s/\ /\,/g` or lsof -n -p 3888 ( since that is the process id that rkhunter is reporting listening) do you have nmap installed on the local machine? you could run a nmap -sV localhost against it and it should report back with something as well. you can also install the debsums package, it will do a md5sum check against installed packages. also, what version of debian are you running? Is this machine behind a firewall or do you have a firewall running on it? You may also Jeff -+- 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 04h20	#5
Tyler Smith Messages: n/a Hébergeur:	Re: /bin/login listening? On 2007-07-28, Jeff D <fixedored@gmail.com> wrote: > also, what version of debian are you running? Is this machine behind a > firewall or do you have a firewall running on it? You may also I'm running Lenny on a laptop, usually connected to various wireless routers. I recently noticed that firestarter wasn't actually starting automatically, something to do with the network not being up when I boot, and I don't always remember to turn it on after I connect to the wireless router. Also, even when I am running firestarter I have to turn it off in order to access my university via vpn. I've pasted the results of all the tests you suggested below. I don't understand much, but the md5sum mis-match for the rkhunter files is definitely worrying. Am I going to have to re-install? Thanks, Tyler > you can also install the debsums package, it will do a md5sum check > against installed packages. root:chapter3# debsums -s debsums: no md5sums for amarok-engines debsums: no md5sums for at debsums: no md5sums for base-files debsums: no md5sums for bc debsums: no md5sums for bin86 debsums: no md5sums for binutils debsums: no md5sums for bsdutils debsums: no md5sums for bzip2 debsums: can't open cltl file /usr/share/doc/cltl/README.Debian (No such file or directory) debsums: can't open cltl file /usr/share/doc/cltl/copyright (No such file or directory) debsums: can't open cltl file /usr/share/doc/cltl/changelog.gz (No such file or directory) debsums: no md5sums for console-data debsums: no md5sums for dc debsums: no md5sums for debian-archive-keyring debsums: no md5sums for debian-policy debsums: no md5sums for dict debsums: no md5sums for doc-debian debsums: can't open ebook-dev-alp file /usr/share/doc/ebook-dev-alp/advanced-linux-programming.pdf.gz (No such file or directory) debsums: no md5sums for ed debsums: no md5sums for figlet debsums: no md5sums for g++ debsums: no md5sums for g77 debsums: no md5sums for gawk debsums: no md5sums for gawk-doc debsums: no md5sums for gnupg debsums: no md5sums for gnuplot debsums: no md5sums for gpgv debsums: no md5sums for hibernate debsums: no md5sums for initscripts debsums: no md5sums for installation-guide-i386 debsums: no md5sums for installation-report debsums: no md5sums for klogd debsums: no md5sums for libaudio2 debsums: no md5sums for libbz2-1.0 debsums: no md5sums for libbz2-dev debsums: no md5sums for libdb4.2 debsums: no md5sums for libdb4.3 debsums: no md5sums for libdb4.4 debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz debsums: no md5sums for libgdbm3 debsums: no md5sums for libgsm1 debsums: no md5sums for libhdf4g debsums: no md5sums for libident debsums: no md5sums for liblockfile1 debsums: no md5sums for libncurses5 debsums: no md5sums for libncurses5-dev debsums: no md5sums for libncursesw5 debsums: no md5sums for libnetcdf3 debsums: no md5sums for libvolume-id0 debsums: no md5sums for lynx debsums: no md5sums for make-doc debsums: no md5sums for mawk debsums: no md5sums for mime-support debsums: no md5sums for module-init-tools debsums: no md5sums for mount debsums: no md5sums for mpack debsums: no md5sums for ncurses-base debsums: no md5sums for ncurses-bin debsums: no md5sums for ncurses-term debsums: no md5sums for netbase debsums: no md5sums for openbsd-inetd debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.cfg debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prcounters.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/preview.sty debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prfootnotes.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prlyx.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowbox.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowlabels.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtightpage.def debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtracingall.def debsums: no md5sums for r-recommended debsums: no md5sums for rcs debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/mirrors.dat debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/os.dat debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/programs_good.dat debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/defaulthashes.dat debsums: no md5sums for rsync debsums: no md5sums for ssh debsums: no md5sums for strace debsums: no md5sums for sun-java5-fonts debsums: no md5sums for sun-java5-plugin debsums: no md5sums for svgalibg1 debsums: no md5sums for sysklogd debsums: no md5sums for sysv-rc debsums: no md5sums for sysvinit debsums: no md5sums for sysvinit-utils debsums: no md5sums for udev debsums: no md5sums for update-inetd debsums: no md5sums for util-linux debsums: no md5sums for whois >> > > you could also try something like this: > lsof -n -p `pidof login \| sed s/\ /\,/g` or lsof -n -p 3888 ( since that > is the process id that rkhunter is reporting listening) root:chapter3# lsof -n -p 3888 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME login 3888 root cwd DIR 0,13 4040 955 /dev login 3888 root rtd DIR 8,3 4096 2 / login 3888 root txt REG 8,3 35204 193543 /bin/login login 3888 root mem REG 8,3 38416 532977 /lib/i686/cmov/libnss_files-2.6.so login 3888 root mem REG 8,3 34352 532979 /lib/i686/cmov/libnss_nis-2.6.so login 3888 root mem REG 8,3 30436 532975 /lib/i686/cmov/libnss_compat-2.6.so login 3888 root mem REG 8,3 220764 596845 /lib/libsepol.so.1 login 3888 root mem REG 8,3 83512 597381 /lib/libselinux.so.1 login 3888 root mem REG 8,3 83712 532974 /lib/i686/cmov/libnsl-2.6.so login 3888 root mem REG 8,3 9708 598622 /lib/security/pam_mail.so login 3888 root mem REG 8,3 4244 598624 /lib/security/pam_motd.so login 3888 root mem REG 8,3 9696 532987 /lib/i686/cmov/libutil-2.6.so login 3888 root mem REG 8,3 8640 598618 /lib/security/pam_lastlog.so login 3888 root mem REG 8,3 17204 598619 /lib/security/pam_limits.so login 3888 root mem REG 8,3 51484 598645 /lib/security/pam_unix.so login 3888 root mem REG 8,3 9684 532935 /lib/i686/cmov/libdl-2.6.so login 3888 root mem REG 8,3 1331968 532932 /lib/i686/cmov/libc-2.6.so login 3888 root mem REG 8,3 8264 598609 /lib/libpam_misc.so.0.79 login 3888 root mem REG 8,3 29700 596838 /lib/libpam.so.0.79 login 3888 root mem REG 8,3 21908 532934 /lib/i686/cmov/libcrypt-2.6.so login 3888 root mem REG 8,3 11024 596837 /lib/libcap.so.1.10 login 3888 root mem REG 8,3 11232 598616 /lib/security/pam_group.so login 3888 root mem REG 8,3 10372 598613 /lib/security/pam_env.so login 3888 root mem REG 8,3 5908 598625 /lib/security/pam_nologin.so login 3888 root mem REG 8,3 7144 598629 /lib/security/pam_securetty.so login 3888 root mem REG 8,3 117336 774195 /lib/ld-2.6.so login 3888 root 0u CHR 4,1 1059 /dev/tty1 login 3888 root 1u CHR 4,1 1059 /dev/tty1 login 3888 root 2u CHR 4,1 1059 /dev/tty1 login 3888 root 4r REG 8,3 1237 517938 /etc/passwd login 3888 root 5u unix 0xf7ddac80 9347 socket root:chapter3# root:chapter3# lsof -n -p `pidof login` \| sed s/\ /\,/g COMMAND,,PID,USER,,,FD,,,TYPE,,,,,DEVICE,,,,SIZE,, ,NODE,NAME login,,,3888,root,,cwd,,,,DIR,,,,,,,0,13,,,,4040,, ,,955,/dev login,,,3888,root,,rtd,,,,DIR,,,,,,,,8,3,,,,4096,, ,,,,2,/ login,,,3888,root,,txt,,,,REG,,,,,,,,8,3,,,35204,1 93543,/bin/login login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,38416,5 32977,/lib/i686/cmov/libnss_files-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,34352,5 32979,/lib/i686/cmov/libnss_nis-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,30436,5 32975,/lib/i686/cmov/libnss_compat-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,220764,5 96845,/lib/libsepol.so.1 login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83512,5 97381,/lib/libselinux.so.1 login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83712,5 32974,/lib/i686/cmov/libnsl-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9708,5 98622,/lib/security/pam_mail.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,4244,5 98624,/lib/security/pam_motd.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9696,5 32987,/lib/i686/cmov/libutil-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8640,5 98618,/lib/security/pam_lastlog.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,17204,5 98619,/lib/security/pam_limits.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,51484,5 98645,/lib/security/pam_unix.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9684,5 32935,/lib/i686/cmov/libdl-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,1331968,5 32932,/lib/i686/cmov/libc-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8264,5 98609,/lib/libpam_misc.so.0.79 login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,29700,5 96838,/lib/libpam.so.0.79 login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,21908,5 32934,/lib/i686/cmov/libcrypt-2.6.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11024,5 96837,/lib/libcap.so.1.10 login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11232,5 98616,/lib/security/pam_group.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,10372,5 98613,/lib/security/pam_env.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,5908,5 98625,/lib/security/pam_nologin.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,7144,5 98629,/lib/security/pam_securetty.so login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,117336,7 74195,/lib/ld-2.6.so login,,,3888,root,,,,0u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1 login,,,3888,root,,,,1u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1 login,,,3888,root,,,,2u,,,CHR,,,,,,,,4,1,,,,,,,,,, ,1059,/dev/tty1 login,,,3888,root,,,,4r,,,REG,,,,,,,,8,3,,,,1237,5 17938,/etc/passwd login,,,3888,root,,,,5u,,unix,0xf7ddac80,,,,,,,,,, ,9347,socket root:chapter3# > > do you have nmap installed on the local machine? you could run a nmap -sV > localhost against it and it should report back with something as well. root:chapter3# nmap -sV localhost Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT Interesting ports on localhost (127.0.0.1): Not shown: 1691 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0) 25/tcp open smtp Exim smtpd 4.67 80/tcp open http Apache httpd 1.3.34 ((Debian)) 111/tcp open rpcbind 2 (rpc #100000) 113/tcp open ident OpenBSD identd 929/tcp open unknown Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds root:chapter3# > > > Jeff > > -+- > 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno. > > -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 08h00	#6
Jeff D Messages: n/a Hébergeur:	Re: /bin/login listening? On Sat, 29 Jul 2007, Tyler Smith wrote: > On 2007-07-28, Jeff D <fixedored@gmail.com> wrote: >> also, what version of debian are you running? Is this machine behind a >> firewall or do you have a firewall running on it? You may also > > I'm running Lenny on a laptop, usually connected to various wireless > routers. I recently noticed that firestarter wasn't actually starting > automatically, something to do with the network not being up when I > boot, and I don't always remember to turn it on after I connect to the > wireless router. Also, even when I am running firestarter I have to > turn it off in order to access my university via vpn. > > I've pasted the results of all the tests you suggested below. I don't > understand much, but the md5sum mis-match for the rkhunter files is > definitely worrying. Am I going to have to re-install? > > Thanks, > > Tyler > > >> you can also install the debsums package, it will do a md5sum check >> against installed packages. > > root:chapter3# debsums -s <SNIP tons of debsum output> > debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright > debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz > <SNIP lsof output> >> > >> do you have nmap installed on the local machine? you could run a nmap -sV >> localhost against it and it should report back with something as well. > > root:chapter3# nmap -sV localhost > > Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT > Interesting ports on localhost (127.0.0.1): > Not shown: 1691 closed ports > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0) > 25/tcp open smtp Exim smtpd 4.67 > 80/tcp open http Apache httpd 1.3.34 ((Debian)) > 111/tcp open rpcbind 2 (rpc #100000) > 113/tcp open ident OpenBSD identd > 929/tcp open unknown > Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD > > Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . > Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds > root:chapter3# > >From the looks of it, it could have just been a false positive. ive seen rkhunter report a few, not very often though. I'd run rkhunter again, install chkrootkit, run that, see if the two match up. As far as debsums reporting back on the rkhunter files, those will probably not match, as they can get updated. -+- 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

28/07/2007, 20h40	#1
Tyler Smith Messages: n/a Hébergeur:	/bin/login listening? Hi, rkhunter has turned up a new warning for me: > Found warnings: > [16:37:42] Checking for packet capturing applications... Warning > [16:37:43] Warning! Process /bin/login (3888) listening > [16:37:43] Warning! Process /bin/login (3888) listening > [16:37:43] Warning! Process /bin/login (3888) listening > [16:37:43] Warning! Process /bin/login (3888) listening > [16:37:43] Warning! Process /sbin/dhclient (4197) listening > [16:37:43] WARNING, found: /etc/.java (directory) /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory) The /bin/login hasn't shown up before. Is this something I need to worry about? Thanks, Tyler -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 14h20	#7
Tyler Smith Messages: n/a Hébergeur:	Re: /bin/login listening? On 2007-07-29, Jeff D <fixedored@gmail.com> wrote: > >>From the looks of it, it could have just been a false positive. ive seen > rkhunter report a few, not very often though. I'd run rkhunter again, > install chkrootkit, run that, see if the two match up. > > As far as debsums reporting back on the rkhunter files, those will > probably not match, as they can get updated. > I ran rkhunter again, and then for good measure I aptitude --purged it, reinstalled, and ran again. And then I thought maybe the whole thing was compromised, so I purged it again, installed rkhunter 1.30 from sourceforge, and ran again. And I also ran chkrootkit. In all cases they showed nothing happening, except for warning me that some of my /bin executables had been replaced by scripts -- stuff like egrep, fgrep etc. So perhaps it was just a false positive. I'm going to read up on security stuff now, so maybe I'll have some idea how to proceed the next time. Thanks for your , Tyler -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

29/07/2007, 14h30	#8
Douglas Allan Tutty Messages: n/a Hébergeur:	Re: /bin/login listening? On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote: > On 2007-07-29, Jeff D <fixedored@gmail.com> wrote: > I ran rkhunter again, and then for good measure I aptitude --purged > it, reinstalled, and ran again. And then I thought maybe the whole > thing was compromised, so I purged it again, installed rkhunter 1.30 > from sourceforge, and ran again. And I also ran chkrootkit. In all > cases they showed nothing happening, except for warning me that some > of my /bin executables had been replaced by scripts -- stuff like > egrep, fgrep etc. > > So perhaps it was just a false positive. I'm going to read up on > security stuff now, so maybe I'll have some idea how to proceed the > next time. > Its tricky. If you have been rooted, you can't trust anything on the system, including aptitude. As for reading, try the package harden-doc. Good luck. Doug. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email