LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-23-2013, 10:08 AM   #16
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by unSpawn View Post
...additionally I would like to point out that there has been a lot of talk about "markers" but no actual data has been shown: depending on the book mark format there may be at least one date attached to a bookmark. Also backups aren't mentioned: if you make daily backups then it would be easier to pinpoint the time of change and what actually changed. If daily backups include the whole users browser directory backup this may also include user browsing history which may or may not reveal more clues.

*Personally I would not waste time trying to guess, speculate or formulate hypotheses. Entertaining as that may be, letting the facts (if any) speak for themselves would be "better" IMHO.
Of course, the only problem is if I have no backup (I don't know if OpenSUSE does it by itself automatically), I don't know how to prove that.
Now I only can trust on the users that report that problem.

The bookmarks of Mozilla Firefox are stored in: places.sqlite. I could try to open the file, but I don't think it preserves the modification dates of that bookmarks... Probably it will preserve the last insertion/modification. In this case, the previous links were deleted, and the two original, again inserted, so, I think is the only info I can see. What do you think?

Thanks
 
Old 03-23-2013, 10:36 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,532
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
The moz_bookmarks table contains two integers (epoch obviously) for each bookmark called dateAdded and lastModified.
*Also please reread Noway2's post above for any questions you should reply to or actions to perform.
 
Old 04-02-2013, 07:58 PM   #18
Zzipo
LQ Newbie
 
Registered: Mar 2013
Posts: 28

Original Poster
Rep: Reputation: Disabled
Ok, after one week I am here back.

Finally I have gone inside of moz_bookmarks but this is the only information I can get:

Code:
...
--------------------
Link Name of Website of "Company X"
None
749
1344854147342669
1344854147342669
--------------------
...
--------------------
Link Name of Website related to "Company X"
None
4734
1361697872074617
1361697872337850
--------------------
...

What is the problem? I have check again the links in that folder (those links that could be modified, deleted and inserted) and there are some problems...
I have translated all of them to UTC from that miliseconds.
Code:
$ date --date='@1344854147'                                                                              
lun ago 13 11:35:47 WEST 2012
$ date --date='@1361697872'
dom feb 24 09:24:32 WET 2013
$ date --date='@1355422673'
jue dic 13 18:17:53 WET 2012
$ date --date='@1360473469'
dom feb 10 05:17:49 WET 2013
$ date --date='@1360509219'
dom feb 10 15:13:39 WET 2013
$ date --date='@1354687439'
mi dic  5 06:03:59 WET 2012
$ date --date='@1354645496'
mar dic  4 18:24:56 WET 2012
$ date --date='@1362723517'
vie mar  8 06:18:37 WET 2013
Taking only the seconds (because date only accept that, not milliseconds), and here it is something really weird.
If I compare the "speech/version" that the users (two) said to me after the changes on the system were performed, something is wrong.
- I trust the users more than what the System says. Why?
--> If an user is pretty sure that this link was added by himself in that moment, I have to trust
--> The clock of the system goes wrong sometimes (Now for example is two hours delayed) but they said that in the last months (6-8 months) sometimes it was really wrong.
Should I trust on what the miliseconds says? Or even if the software clock is wrong, that miliseconds says the truth?
--> If an intruder goes inside the system, is not so hard to change this miliseconds. But something that doesn't match with the behaviour of "change" the mozilla bookmarks... that doesn't make sense (only to threat the users).

The users are pretty sure they added the first of the links. It is the "lun ago 13 11:35:47 WEST 2012". They don't remember what was the second link they added, but they think (not sure) it was the second "dom feb 24 09:24:32 WET 2013"

If I compare the version of the users with what says the extraction of bookmarks, the only possible pair of links in the same day is:
dom feb 10 05:17:49 WET 2013
dom feb 10 15:13:39 WET 2013
But they are sure one of the links was "X", that I said above (lun ago 13 11:35:47 WEST 2012). So, something is wrong here.
And, not only that, if we take those two links added on 10 feb (those match the day the users notify the difference in the bookmarks), we can see that there is a huge difference (5 am to 3 pm). They don't remember if they changed both links at the same time (delete the two "intruder" links, add the new two) or if they did this in different hours.
They also don't remember if it happen on 10 Feb or 11 Feb.

So, three combinations...mixing "bad memory", "clock offsets and misconfigurations" and "sure of add "X" link to the bookmarks".


* I have made the test adding now a new webpage. Closing Firefox and then executing the script to check the places.sqlite.
I see the miliseconds, translate to date, and:
mar abr 2 22:57:30 WEST 2013
That match the local system.

-- I change manually the local system, to, for example, one month before, but same time.

But when I search something in Google, it says "exception in certificate, add manually,..." only because of the time in my system.
Finally, I add another link, check again the places.sqlite, and it shows:
sb mar 2 22:06:39 WET 2013

So, yes, definetely is the same clock (mozilla doesn't use the hardware clock or some other way to get it).

I don't know how could be changed the clock without doing manually this. A good way to discard (or not) this theory or incorrect clock is knowing what could change it.




So, no facts.


----- Returning to the Noway2 post.

Thank you!


I have made these notes, but I am not sure how to check if something is wrong inside/related:

at jobs -> cron tasks
.hidden file.

pam.d -> auth files
/etc/ configuration files

/usr/lib/kde4/libexec/kcheckpass -> login process

netcat files -> links replaced (redirect connections)


I have read:
To know which package owns a file:
which file
rpm -qf `which file`
then, to verify the integrity of the package:
rpm -V bash
in this case, I have made the next tests:


which crontab
rpm -qf /usr/bin/crontab
rpm -V cronie
which kcheckrunning
rpm -qf /usr/bin/kcheckrunning
rpm -V kdebase4-workspace
....

Results:
Code:
$ rpm -V cronie
?........  c /etc/cron.deny
miss   /var/spool/cron/lastrun (Permission denied)
miss   /var/spool/cron/tabs (Permission denied)

$ rpm -V bash
?........  c /etc/skel/.bash_history

$ rpm -V kdebase4-workspace
......G..    /usr/lib/kde4/libexec/kcheckpass

$ rpm -V pwdutils
5S.T.....  c /etc/default/passwd

$rpm -V login
5S.T.....  c /etc/pam.d/login
... I see that I am doing the same as sudo rpm -qVa but "slowly". So, this is nothing new. I stop with this.


Something weird:
if i do, for example, "sudo rpm -V cronie" it doesn't answer anything as result. Only if I do "rpm -V cronie"



About .gvfs
Code:
$ sudo cat /home/userA/.gvfs
root's password:
cat: /home/userA/.gvfs: Permission denied
$ cat /home/userA/.gvfs
cat: /home/userA/.gvfs: Is a directory
$ sudo ls /home/userA/.gvfs
ls: is not accesible /home/userA/.gvfs: Permission denied
$ sudo file /home/userA/.gvfs
/home/userA/.gvfs: ERROR: cannot open `/home/userA/.gvfs' (Permission denied)
Check that I cannot see what is that. "cat" only says that is a directory, "sudo cat" permission denied, "sudo ls" permission denied and "sudo file" the same.
In Dolphin explorer is like a folder, then empty. The owner is userA, but only can see, group and others nothing.

Cron && /usr/bin/at
I don't understand what is AT files or how to see them.
But I have search about cron, and i have done:
Code:
crontab -l
no crontab for userA
sudo crontab -l
no crontab for root

$ rpm -V at
?........  c /etc/at.deny
miss   /var/spool/atjobs/.SEQ (Permission denied)

$ sudo cat /etc/at.deny
root's password:
root
bin
daemon
lp
mail
news
uucp
games
man
wwwrun
ftp
nobody

$ sudo ls /var/spool/atjobs/
(nothing in atjobs/ )


pam.d files
I only show the lines not commented:
Code:
-> $ cat common-account
account required        pam_unix2.so

-> $ cat common-auth
auth    required        pam_env.so
auth    optional        pam_gnome_keyring.so
auth    required        pam_unix2.so

-> $ cat common-password
password        requisite       pam_pwcheck.so  nullok cracklib 
password        optional        pam_gnome_keyring.so    use_authtok
password        required        pam_unix2.so    use_authtok nullok 

-> $ cat common-session
session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_umask.so
session optional        pam_systemd.so
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,gdm-password,lxdm,lightdm

-> $ cat login
#%PAM-1.0
auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]        pam_securetty.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
session  optional       pam_lastlog.so  nowtmp showfailed 
session  optional       pam_mail.so standard
session  optional       pam_ck_connector.so
/usr/lib/kde4/libexec/kcheckpass
Code:
$ file kcheckpass 
kcheckpass: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, BuildID[sha1]=0x31321591229963daea1a87d5c08cb6699c7903c8, stripped
$ /usr/lib/kde4/libexec> ls -l
total 2536
-rwxr-xr-x 1 root root     22232 nov  5  2011 backlighthelper
-rwxr-xr-x 1 root root     18128 oct 30  2011 bluedevil-authorize
-rwxr-xr-x 1 root root     14024 oct 30  2011 bluedevil-confirmmodechange
-rwxr-xr-x 1 root root     13992 oct 30  2011 bluedevil-requestconfirmation
-rwxr-xr-x 1 root root     22360 oct 30  2011 bluedevil-requestpin
-rwxr-xr-x 1 root root    495796 oct 30  2011 drkonqi
lrwxrwxrwx 1 root root        12 ago  1  2012 filesharelist -> fileshareset		<----
-rwxr-xr-x 1 root root     11019 may 20  2011 fileshareset
-rwxr-xr-x 1 root root    149936 nov  5  2011 fontinst
-rwxr-xr-x 1 root root     96504 nov  5  2011 fontinst_helper
-rwxr-xr-x 1 root root      1908 may 20  2011 fontinst_x11
-rwxr-xr-x 1 root root     18088 may 27  2012 k3bsetuphelper
-rwxr-xr-x 1 root root     26304 jul 19  2012 kauth-policy-gen
-rwsr-xr-x 1 root shadow   13988 nov  5  2011 kcheckpass				<----
-rwxr-xr-x 1 root root     22292 nov  5  2011 kcmdatetimehelper
-rwxr-xr-x 1 root root     26408 nov  5  2011 kcmkdmhelper
-rwxr-xr-x 1 root root      9844 oct 30  2011 kcmremotewidgetshelper
-rwxr-xr-x 1 root root      5608 jul 19  2012 kconf_update
-rwxr-xr-x 1 root root       993 may 20  2011 kdeeject
-rwxr-xr-x 1 root root     47416 oct 30  2011 kdesu
-rwxr-sr-x 1 root nogroup  59376 oct 30  2011 kdesud					<----
-rwxr-xr-x 1 root root      9988 jul 19  2012 kdesu_stub
I mark the three that are different (permissions, owner,..)
kdesud needs no group?

what is the group shadow?
If i do:
$ groups
users video
Are the only responses.-> we will see below the groups... it appear "shadow" and even nogroup.


SuSEfirewall2
$ cat /etc/sysconfig/SuSEfirewall2 | grep -ve "#" | grep -ve "^$"
Code:
FW_DEV_EXT="eth0"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV=""
FW_MASQ_NETS=""
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="netbios-server samba-client samba-server"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=""
FW_STOP_KEEP_ROUTING_STATE=""
FW_ALLOW_PING_FW=""
FW_ALLOW_PING_DMZ=""
FW_ALLOW_PING_EXT=""
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_ZONE_DEFAULT=''
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_WRITE_STATUS=""
FW_RUNTIME_OVERRIDE=""
FW_LO_NOTRACK=""
FW_BOOT_FULL_INIT=""
cat /etc/default/passwd
Only options enabled in the file:
Code:
# Define default crypt hash.
# CRYPT={des,md5,blowfish,sha256,sha512}
CRYPT=

...

# Setting the following option to "yes" tells the sytem that $2a
# hashes are to be treated as generated with the buggy algorithm.
BLOWFISH_2A2X=
CRYPT_FILES=md5
Blowfish and CRYPT are empty.

Netcat
Code:
$ which netcat
/usr/bin/netcat

$ /usr/lib/kde4/libexec> rpm -qf /usr/bin/netcat
netcat-openbsd-1.89-81.1.2.i586

$ /usr/lib/kde4/libexec> rpm -V netcat-openbsd
..L......    /usr/bin/netcat
..L......  d /usr/share/man/man1/netcat.1.gz

$ file /usr/bin/netcat
/usr/bin/netcat: symbolic link to `/etc/alternatives/netcat'

$ file /etc/alternatives/netcat
/etc/alternatives/netcat: symbolic link to `/usr/bin/nc'

$ ls /etc/alternatives/

awk                         java                 jre_1.6.0            ksh.1.gz              policytool          servertool.1.gz
awk.1.gz                    java.1.gz            jre_1.6.0_exports    mount.ntfs            policytool.1.gz     tnameserv
chromium                    javaplugin           jre_exports          mount.ntfs.8.gz       policytool.desktop  tnameserv.1.gz
ftp                         javaws               jre_openjdk          netcat                rmid                usr-bin-awk
ftp.1                       javaws.1             jre_openjdk_exports  netcat.1.gz           rmid.1.gz           usr-bin-ksh
gst-install-plugins-helper  jaxp_parser_impl     keytool              openSUSE-default.xml  rmiregistry         vim
gtk-update-icon-cache       jaxp_transform_impl  keytool.1.gz         orbd                  rmiregistry.1.gz    xml-commons-apis
gtk-update-icon-cache.1.gz  jre                  ksh                  orbd.1.gz             servertool

$ file /usr/bin/nc
/usr/bin/nc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.16, BuildID[sha1]=0xe153e7e3cec1daefcb4c8a4b0865068a4c058447, stripped

$ which nc
/usr/bin/nc

$ /usr/lib/kde4/libexec> rpm -qf /usr/bin/nc
netcat-openbsd-1.89-81.1.2.i586
I really don't know how to investigate it. As you see I don't know really more than cat configuration files, check integrity and not really more.
I see some uses of netcat for other purpposes... but is like "too much" for me now.
http://pseudo-flaw.net/content/conte...stmas-hacking/

I was searching how to see the log of netcat, how to see processes/programs that use netcat,... but nothing.

Users and groups -> paswd and shadow

Code:
$ cat /etc/passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:106:107:User for Avahi:/var/run/avahi-daemon:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:104:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:102:103:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:106:MySQL database admin:/var/lib/mysql:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:104:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:108:109:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rtkit:x:105:105:RealtimeKit:/proc:/bin/false
smolt:x:107:108:user for smolt:/usr/share/smolt:/sbin/nologin
sshd:x:101:102:SSH daemon:/var/lib/sshd:/bin/false
statd:x:103:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
usbmux:x:100:65534:usbmuxd daemon:/var/lib/usbmuxd:/sbin/nologin
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
userA:x:1000:100:userA:/home/userA:/bin/bash
vscan:x:65:111:Vscan account:/var/spool/amavis:/bin/false
Why shadow.old?
Code:
$ sudo cat /etc/shadow.old
at:*:15552:0:99999:7:::
avahi:*:15552:0:99999:7:::
bin:*:15288::::::
daemon:*:15288::::::
dnsmasq:*:15552:0:99999:7:::
ftp:*:15288::::::
games:*:15288::::::
lp:*:15288::::::
mail:*:15288::::::
man:*:15288::::::
messagebus:*:15288:0:99999:7:::
mysql:*:15552:0:99999:7:::
news:*:15288::::::
nobody:*:15288::::::
ntp:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
pulse:*:15552:0:99999:7:::
root:$6$5I2Ex2aF$BQuXA/9MmDE-- reduced by me now --sdfEigMvqDFIG8O2MLM62/:15552::::::
rtkit:*:15552:0:99999:7:::
smolt:*:15552:0:99999:7:::
sshd:*:15288:0:99999:7:::
statd:*:15288:0:99999:7:::
usbmux:*:15288:0:99999:7:::
uucp:*:15288::::::
wwwrun:*:15288::::::
userA:$6$WknRhRQn$bbUYSAv-- reduced by me now --sdf2iJIWKRpWv0:15552:0:99999:7:::
vscan:*:15764:0:99999:7:::

normal shadow
Code:
$ sudo cat /etc/shadow
at:*:15552:0:99999:7:::
avahi:*:15552:0:99999:7:::
bin:*:15288::::::
daemon:*:15288::::::
dnsmasq:*:15552:0:99999:7:::
ftp:*:15288::::::
games:*:15288::::::
lp:*:15288::::::
mail:*:15288::::::
man:*:15288::::::
messagebus:*:15288:0:99999:7:::
mysql:*:15552:0:99999:7:::
news:*:15288::::::
nobody:*:15288::::::
ntp:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
pulse:*:15552:0:99999:7:::
root:$1$2zAY--reduced but really SHORT -- H648d48/:15764::::::  
rtkit:*:15552:0:99999:7:::
smolt:*:15552:0:99999:7:::
sshd:*:15288:0:99999:7:::
statd:*:15288:0:99999:7:::
usbmux:*:15288:0:99999:7:::
uucp:*:15288::::::
wwwrun:*:15288::::::
userA:$6$WknRhRQn$bbUYSAv58bLerWYG3V8M7-- reduced by me now --MNMeQs9r.YPWZ.Np2iJIWKRpWv0:15552:0:99999:7:::
vscan:*:15764:0:99999:7:::
The root password was really short, and this is the actual shadow.


Groups
Code:
cat /etc/group
at:!:25:
audio:x:17:pulse
avahi:!:107:
bin:x:1:daemon
cdrom:x:20:
console:x:21:
daemon:x:2:
dialout:x:16:
disk:x:6:
floppy:x:19:
ftp:x:49:
games:x:40:
kmem:x:9:
lock:x:54:
lp:x:7:
mail:x:12:postfix
maildrop:!:59:postfix
man:x:62:
messagebus:!:103:
modem:x:43:
mysql:!:106:
news:x:13:
nobody:x:65533:
nogroup:x:65534:nobody
ntadmin:!:71:
ntp:!:104:
postfix:!:51:
public:x:32:
pulse:!:109:
pulse-access:!:110:
root:x:0:
rtkit:!:105:
shadow:x:15:
smolt:!:108:
sshd:!:102:
sys:x:3:
tape:!:101:
trusted:x:42:
tty:x:5:
utmp:x:22:
uucp:x:14:
video:x:33:userA
wheel:x:10:
www:x:8:
xok:x:41:
users:x:100:
vscan:!:111:
CERT point 8
Code:
$ cat /etc/hosts
127.0.0.1       localhost

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts


$ cat /etc/hosts.equiv
(just comments)

$ cat /etc/hosts.lpd
(just comments)

$ sudo find / -name .rhost
(nothing)
CERT point 9 half
Code:
$ sudo find / -name ".*" -print -xdev | cat -v
root's password:
find: warning: you have specified the -xdev option after a non-option argument -name, but options are not positional (-xdev affects tests specified before it as well as those specified after it).  Please specify options before other arguments.

/var/lib/rpm/.rpm.lock
/var/tmp/kdecache-userA/plasma-wallpapers/home/userA/.kde4
/var/spool/atjobs/.SEQ
/root/.pulse-cookie
/root/.config
/root/inst-sys/.config
/root/inst-sys/.gnupg
/root/.pulse
/root/.dbus
/root/.gnupg
/root/.kdm
/root/.kbd
/root/.kbd/.keymap_sv
/root/.kde
/root/.gconf
/root/.kde4
/root/.bash_history
/.readahead
/.config
/usr/lib/perl5/5.14.2/i586-linux-thread-multi/.packlist
/usr/share/vlc/lua/http/dialogs/.hosts
/usr/share/vlc/lua/http/.hosts
/usr/share/susehelp/meta/Development/Libraries/.directory
/usr/share/susehelp/meta/Development/.directory
/usr/share/susehelp/meta/Development/Tools/.directory
/usr/share/susehelp/meta/Development/Languages/.directory
/usr/share/susehelp/meta/Manuals/Productivity/Amusements/.directory
/usr/share/susehelp/meta/Manuals/Productivity/.directory
/usr/share/susehelp/meta/Manuals/Applications/.directory
/usr/share/susehelp/meta/Manuals/KDE/.directory
/usr/share/susehelp/meta/Manuals/.directory
/usr/share/susehelp/meta/Administration/Hardware/.directory
/usr/share/susehelp/meta/Administration/System/.directory
/usr/share/susehelp/meta/Administration/.directory
/usr/share/susehelp/meta/Administration/Linux/Manpages/.directory
/usr/share/susehelp/meta/Administration/Linux/.directory
/usr/share/susehelp/meta/Internet/.directory
/usr/share/ghostscript/fonts/.fonts-config-timestamp
/usr/share/kde4/apps/konqsidebartng/virtual_folders/services/.directory
/usr/share/kde4/apps/konqsidebartng/virtual_folders/remote/web/.directory
/usr/share/kde4/apps/konqsidebartng/virtual_folders/remote/ftp/.directory
/usr/share/kde4/apps/konqsidebartng/virtual_folders/remote/.directory
/usr/share/kde4/apps/kdm/faces/.default.face.icon
/usr/share/kde4/apps/kdm/pics/.randomlist
/usr/share/kde4/apps/khelpcenter/plugins/Manpages/.directory
/usr/share/kde4/apps/khelpcenter/plugins/Applications/.directory
/usr/share/kde4/apps/khelpcenter/plugins/Scrollkeeper/.directory
/usr/share/kde4/templates/.source
/usr/share/fonts/misc/.fonts-config-timestamp
/usr/share/fonts/Speedo/.fonts-config-timestamp
/usr/share/fonts/cyrillic/.fonts-config-timestamp
/usr/share/fonts/75dpi/.fonts-config-timestamp
/usr/share/fonts/100dpi/.fonts-config-timestamp
/usr/share/fonts/truetype/.fonts-config-timestamp
/usr/share/fonts/encodings/.fonts-config-timestamp
/usr/share/fonts/Type1/.fonts-config-timestamp
/tmp/.XIM-unix
/tmp/.Test-unix
/tmp/.ICE-unix
/tmp/.font-unix
/tmp/.esd-1000
/tmp/.X0-lock
/tmp/.X11-unix
/etc/skel/.profile
/etc/skel/.xim.template
/etc/skel/.emacs
/etc/skel/.config
/etc/skel/.bashrc
/etc/skel/.xinitrc.template
/etc/skel/.fonts
/etc/skel/.inputrc
/etc/skel/.local
/etc/skel/public_html/.directory
/etc/skel/.vimrc
/etc/skel/.bash_history
/etc/lvm/.cache
/etc/init.d/.depend.start
/etc/init.d/.depend.halt
/etc/init.d/.depend.boot
/etc/init.d/.depend.stop
/etc/.pwd.lock

$ sudo find / -name ".. " -print -xdev
(nothing)
Of course, I am waiting to finish somehow this process to format, the problem is that the time is coming.. really close. And i have to adopt some solution.
Maybe I have to leave the partition like this to can continue with this in a future and create another partition with the next/new system


I would really appreaciate some advices how to "investigate" those files you say, like cron (crontab -l is not enough, i know), and netcat. Because I don't know really what to do with binary files that fail the integrity proof.
I don't know assembly to can understand what they do behind...

Like this. How to test it?
[...]Also,verify that all files/programs referenced (directly or indirectly) bythe 'cron' and 'at' jobs, and the job files themselves, are notworld-writable.

Again, really thank you for everything.
I am surprise of you, altruistic help
 
Old 04-03-2013, 03:27 PM   #19
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,120

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I haven't had a chance to fully go over all of this yet, but I did notice the permission denied on your use of sudo. I have seen this sometimes, in which case I use 'sudo -i' or 'su -' to get a root shell and run the command.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
System Compromised. bullebob Linux - Security 13 11-07-2011 08:38 AM
Has my system been compromised? Palula Linux - Security 2 02-03-2006 09:09 AM
Afraid I Have Been Compromised robpom Linux - Security 12 03-31-2005 12:50 AM


All times are GMT -5. The time now is 04:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration