LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-07-2004, 08:50 AM   #1
magicm
Member
 
Registered: May 2003
Distribution: Slackware
Posts: 32

Rep: Reputation: 16
rkhunter found bad syslogd - what should I do next


Happy Thursday -
First facts: Distro Slackware 10.0 reasonably current (up thru Sep. 5, 2004 for packages I know I use). Rootkit Hunter 1.1.8. found a problem with syslogd. I went and looked. syslogd, klogd both were of different sizes than I thought should be there - no patch that I thought I should have installed should have modified them from the 10.0 install). I reinstalled the distribution packages, and rkhunter is now happy. Well, and good.

I saved off the suspect commands (renamed them and also ran chmod -x)

Now. - mind you, at this point I'm fairly well out of my depth. So, questions:
Is there any reasonable way I can find out how I obtained the suspect files? Is there any use or utility in the files I saved off? It's beyond my skill, but is there some mailing list,etc that would like to examine them?
And what steps can I take to prevent this?

Other things: standalone system; dialup only. firewall is via
http://projectfiles.com/firewall/version 2.0rc9 (newbie defaults)

Thanks in advance for any answers/advice
 
Old 10-10-2004, 06:05 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Checksum and signature-based checking of any kind is of limited use (mind you, it's better than having nothing at all). Checksum repositories like Known Goods and apps like Rootkit Hunter must work hard to keep up to date with changes in sums each time a package is updated. This will not ever work for all packages, so finding mismatches will be common.


Is there any reasonable way I can find out how I obtained the suspect files?
Package manager logging (if any), (administrative) user shell history.


Is there any use or utility in the files I saved off?
Easiest way to start would be to D/L any Slackware syslogd package binaries whose version is near and try to match MD5/SHA1 sums or whatever Slack uses. If that doesn't match then you could try figure out what their purpose is and step the binaries tru a debugger. Even if they have ran on your box I'd suggest sandboxing them, the easiest way being running from an appropriate Live CDR or a forensics CDR like the Penguin Sleuth Kit or FIRE.


It's beyond my skill, but is there some mailing list,etc that would like to examine them?
If you've tried the above and it doesn't work for you, make 'em available as .tar.bz2 and email me the D/L location.


And what steps can I take to prevent this?
If you're running EXT2/EXT3 you could set the immutable bit on the binary meaning they cannot be altered unless turned off. If you're running the binaries off of a separate partition, remounting the partition read-only will provide similar effect. For auditing purposes it's best to install a filesystem integrity checker like Aide, Samhain or tripwire (preferably after a fresh install so you can be sure nothing has been tampered with). Make sure to save a copy of the filesystem integrity checker's configs, databases and binary off the box to a read-only location. If your package manager maintains a database, save a copy too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bad res, ran Xorg now Monitor not Found. DarkDevil Linux - Newbie 1 11-24-2005 09:05 PM
rkhunter found the following monroetech Linux - Security 3 12-20-2004 08:51 PM
Bad Checksums In Rkhunter sovietpower Linux - Security 3 09-07-2004 07:11 PM
Bad checksum in rkhunter laceupboots Linux - Security 10 08-07-2004 12:15 PM
RKHUNTER: Bad MD5 Checksums Scarpa Linux - Security 2 06-18-2004 05:56 AM


All times are GMT -5. The time now is 05:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration