LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-26-2011, 10:22 PM   #1
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Rep: Reputation: 16
rkhunter -c sez sulogin and last "have changed"


DATA FOLLOWS BELOW:
Can someone please reply with md5sums for /sbin/sulogin and /usr/bin/last for Ubuntu 10.10, kernel 2.6.35-31-generic ?
Last several times I've run rkhunter I've gotten Warnings about sulogin and /usr/bin/last. These are likely targets for an intruder.
So I reinstalled the package containing those binaries and quickly did rkhunter -c. Same problem.
Earlier I had foolishly done the UPDATE to update the cashes. That caused a temporary fix. But now they are changed again!?!
So I did md5sums of both binaries before and after the reload. No joy. Md5sums are identical.
So I see three possibilities:
(1) The installation process for those binaries produces false positives, or
(2) I'm infected and those binaries get reinfected VERY FAST, or
(3) The linux repository for Ubuntu 10.10 is infected.
I've seen this error multiple times in Google searches. I've seen people foolishly recommend updating the rkhunter cache, which is a clever way to simply shut off an important alarm.
Either way, I suspect someone close to this code MUST provide a definitive and informed answer considering the possibility that the Ubuntu cache is itself infected.
Thank you oh so very much for any attention.
DATA FOLLOWS:

[22:50:17] /sbin/sulogin [ Warning ]
[22:50:17] Warning: The file properties have changed:
[22:50:17] File: /sbin/sulogin
[22:50:17] Current inode: 23855259 Stored inode: 23855277
[22:50:17] Current file modification time: 1303197096 (19-Apr-2011 03:11:36)
[22:50:17] Stored file modification time : 1301521984 (30-Mar-2011 17:53:04)
md5sum immediately after reload via Synaptic Package manager:
88d2ad573bd0e589db4ea77e86fdfe34 /sbin/sulogin


[22:50:14] /usr/bin/last [ Warning ]
[22:50:14] Warning: The file properties have changed:
[22:50:14] File: /usr/bin/last
[22:50:14] Current inode: 29100159 Stored inode: 29109154
[22:50:14] Current file modification time: 1303197096 (19-Apr-2011 03:11:36)
[22:50:14] Stored file modification time : 1301521984 (30-Mar-2011 17:53:04)
md5sum immediately after reload via Synaptic Package manager:
ca0943947e977283e9c4e618a7557d10 /usr/bin/last


[ 0.000000] Linux version 2.6.35-31-generic (buildd@allspice) (gcc version 4.4.5 (Ubuntu/Linaro 4.4.4-14ubuntu5) ) #62-Ubuntu SMP Tue Nov 8 14:20:11 UTC 2011 (Ubuntu 2.6.35-31.62-generic 2.6.35.13)
 
Old 11-27-2011, 06:34 AM   #2
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
hi

1) since you are security conscious....is that the latest kernel you can get from Ubuntu repositories?

If you must use Ubuntu types you may like to consider installing a vanilla and watching for kernel vulnerabilties?

2) Also have you actually done a clean install.....with a tarball of rkh?

3) Have you configured your /etc/rkhunter.conf to use a package manager for software updates?

4) Your dates seem a little old....how long as this been appearing in your logs?


5) why not download and extract another repository and check the md5sums yourself?

eg

in debian sid....last + sulogin belong to sysvinit-utils
http://mirror.internode.on.net/pub/u...in/s/sysvinit/
 
Old 11-27-2011, 11:48 AM   #3
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
Quote:
1) since you are security conscious....is that the latest kernel you can get from Ubuntu repositories?
This is the latest kernel coming via apt update so I assume its latest.
Quote:
If you must use Ubuntu types you may like to consider installing a vanilla and watching for kernel vulnerabilties?
If I get no useful responses, this and your tarball suggestion below will be next step(s).
Quote:
2) Also have you actually done a clean install.....with a tarball of rkh?
(see above) I'll probably do this on a vmware manchine. However, I do have a job with immediate demands. I'm overrun with immediate demands these days.
Quote:
3) Have you configured your /etc/rkhunter.conf to use a package manager for software updates?
"apt get" in the auto updates, yes
Quote:
4) Your dates seem a little old....how long as this been appearing in your logs?
If you mean the "Nov 8", that was because I just grabbed the first "version" line contained in the dmesg log. Is that what you mean? The kernel itself was update installed just a couple days ago. The rkhunter run immediately before that had no complaints. (!!)

Quote:
5) why not download and extract another repository and check the md5sums yourself?
I'm not sure which supplier "apt get" got them from. I'll read up on the apt mans to see how to determine (and set) that.

I was hoping someone running an up-to-date ubuntu 10.10 could just type:
md5sum /sbin/sulogin
and
md5sum /usr/bin/last
and reply with the sequence. It would save some time. I also hope to diff the strings outputs.
also
Rebuilding the machine is not necessarily any guarantee of safety given the problems that exist with recent kernels. See the sticky item above on this topic. Is this one variation of that same problems? I don't think an intruder would have stopped or been satisfied with a compromised kernel.
Maybe I should mention this thread in that sticky? I don't know yet.
Thank you for any help.
 
Old 11-27-2011, 03:34 PM   #4
impert
Member
 
Registered: Feb 2009
Posts: 282

Rep: Reputation: 53
Hi linuxStudent11
Quote:
I was hoping someone running an up-to-date ubuntu 10.10 could just type:
md5sum /sbin/sulogin
and
md5sum /usr/bin/last
Haven't used 10.10 for a little while but I booted into it from curiosity.
Code:
md5sum /sbin/sulogin
88d2ad573bd0e589db4ea77e86fdfe34  /sbin/sulogin
md5sum /usr/bin/last
ca0943947e977283e9c4e618a7557d10  /usr/bin/last
You asked for an up-to-date 10.10, (perhaps a contradiction in terms) so I updated and upgraded.
The md5sums were identical before and after the upgrade.

I also ran rkhunter -c, and got warnings (also the same before and after upgrading) for the following files:
/bin/
dmesg, login, more, mount, su.
/usr/bin/
dpkg, dpkg-query, last, lastlog, ldd, logger, newgrp, passwd, perl, sudo, whereis.
/sbin/
ifdown, ifup, init, runlevel, sulogin
/usr/sbin/
groupadd, groupdel, groupmod, grpck, nologin, pwck, useradd, userdel, usermod, vipw.

If you have a problem, mine's bigger than yours!

Being an optimist, I think the explanation is probably that I have mounted the partition that Maverick is on in another distribution. I've probably chrooted into it, and at one stage I dd'ed it into the partition it's in now.

However, I'm no security guru, so maybe some dark forces are preparing a sinister plot against me at this very moment. Think I'll go to bed and get some sleep: I'll need all my strength to counter their evil plans.
 
Old 11-27-2011, 04:09 PM   #5
linuxStudent11
Member
 
Registered: Jun 2007
Posts: 103

Original Poster
Rep: Reputation: 16
Talking

-- LMAO --
m'kay, maybe this tinfoil's a little tight

OTOH, maybe I'm not ready to take off my hat just yet.

I guess I'm feeling a disturbance in the force.
 
Old 11-27-2011, 06:48 PM   #6
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
hi

1) kernel.org suggests today's most recent stable kernel is 3.1.3

I run a debian kernel and I have their package 3.1.0-1-686-pae for 32 bit machine

compared to your number 2.6.35-31-generic

I suggest stop using Ubuntu if they can't use a more recent kernel or stop using their kernel and install a vanilla.

2) ok everyone has time issues. But if you want to improve your security can I suggest you read the wiki on RKH it mentions you install RKH with no network

http://sourceforge.net/apps/trac/rkhunter/wiki/MPFC

3) I am not sure about apt get

use root powers to edit your /etc/rkhunter.conf to use this line please

PKGMGR=DPKG

Then save that file to an usb stick etc for when you do a clean install.

good luck
 
  


Reply

Tags
rkhunter


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter hangs, "another user" logged in when I go to shut down. Please evaluate. moxieman99 Linux - Security 2 09-12-2010 06:49 AM
rkhunter warnings on "possible promiscuous interface" and file properties checks vinnie_vinodh Linux - Newbie 1 04-29-2009 02:44 AM
"Hello" sez one of The Ancients araneldon LinuxQuestions.org Member Intro 5 04-06-2008 11:00 PM
rkhunter: "/usr/bin/rpm warning"?!!! odiseo77 Linux - Security 8 11-05-2007 10:54 AM


All times are GMT -5. The time now is 08:46 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration