Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've noticed a few possibly strange things, and I wonder if anybody can help me to understand them.
First of all, I never get the failed ssh logins that everybody is talking about here. I mean never. Shouldn't I be seeing a little bit of that? My machine doesn't respond to pings, so maybe they're just not seeing me, but that seems unlikely since s_kiddies are constantly trying to crack apache.
Second, and more worrisome, is that I have both /etc/sshd and /etc/sshd2 (?) The sshd2.conf file seems pretty weak and differs from my carefully constructed file. What's going on here?
Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:
S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check
What does this mean? Looks to me like something important has changed.
Fourth, in my /tmp directory there are a bunch of subdirectories like
ssh-M0(JFG)#K, many of which appear to be months old. Should these be there??? As far as I know, nobody has ever made an ssh connection to my machine.
Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?
Why are there two of me? I use strong passwords of 15 or more very random characters so I'm pretty sure that a brute force attack would be fruitless. It's the finesse attacks that worry me because I don't fully understand them.
There are other things, too. Why are there rc, rc0, rc1... rc6 in the /etc directory? I never noticed this before. I read somewhere that crackers often make copies of things, so could this, along with the two sshd programs be an indication of problems?
Everything seems to be running OK, and I don't have any super-sensitive data on the machine. Should I worry? If I'm just being paranoid, please let me know. I can take it.
Thanks. That program didn't find anything except a few hidden directories under /etc -- /.java /.aumixrc and /.pwd.lock
Should I be worried about any of these? Strangely, when I try to navigate to .pwd.lock, I get a "no such file or directory." What now?
[edit - add]
One thing that does concern me is the rpm -V pam that I ran that showed it had changed, but Rootkit Hunter didn't have anything to say about that. Anyone know what this could mean?
DO NOT change these unless you know what you are doing. This is part of the bootup system of linux. Each one corresponds to the scripts that are run at each of the runlevels specified by their number. This is not to say they haven't been modified by someone but their existence is essential.
In my opinion, you are being a little paranoid -- which can be a good thing. I'm not sure what generated the temp files but they don't seem like a large concern to me (at the very least a cracker this competent would have made them hidden).
The reason there are two of you? Probably because you have a xterm window open or whatever. Anyway... it is not odd.
My only suggestion, if you don't use sshd yourself... turn it off.
Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:
S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check
The RPM md5sums will be different if you've updated your system with security patches. For FC1 there have been a number of updates and therefore a number of files will fail the RPM check. This is entirely normal. I know that pam system-auth was updated, but if you want to be extra-thorough, check the contents and file attributes of upperLOWER and pam_timestamp_check using the strings command. Rootkit hunter likely doesn't complain because it uses md5sums that are constantly being updated with new values when updates are released. Unless you manually update the rpm database, then the original hash values will be retained.
. Fifth, netstat is giving me this:
tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT
Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?
This is entirely normal as well. IPP stands for "internet printing protocol" and is one of the linux printing daemons. When you print a document, netstat should show one or more connection from localhost to localhost. This is just how IPP works when you prinit a document locally.
I kind of thought that pam had been changed during a normal update, but I guess I just needed reassurance. RK Hunter is a great little utility that will be most helpful. sshd will be turned on only when needed. I feel much better now.
But I still see two of me even in RL 3. Strange... but not worth worrying about.
That's normal. It has to do with the way wtmp logging works. If you run 'who' instead of 'users' it shows which terminal those users are logged into. If you have multiple pseudo-terminals (pts) open you'll see multiple instances of that username. You can prove this to yourself by starting X and running 'users' and 'who' (you should see at least 2 sessions, 1 for the shell, 1 for the X session). Open a xterm and run 'who' and 'users' again, you'll see that another sessions has been added. Also failing to properly log out of a remote shell sessions (like ssh) can leave a pseudoterm open.
does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
Originally posted by rhoyerboat does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
i believe that only the X server is run as root... the X apps are executed as the unprivileged user... take a look at your processes and you should see something like this:
as you can see, the xinitrc is executed as the unprivileged user, hence the X apps will be run unprivileged... in my case i'm using the XFCE window manager, for example:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.