LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-08-2010, 01:13 PM   #1
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Rep: Reputation: 0
"rpm -Va" How to interpret output?


Can you please help me understand the output of rpm -Va on my server?
The last few lines look like this:
Code:
S.5....T  c /etc/rc.d/rc.local
S.5....T  c /etc/sysctl.conf
S.5....T  c /etc/syslog.conf
SM5....T  c /etc/ssh/sshd_config
SM5....T    /usr/bin/lwp-download
SM5....T    /usr/bin/lwp-mirror
SM5....T    /usr/bin/lwp-request
SM5....T    /usr/bin/lwp-rget
S.5....T    /etc/logrotate.d/proftpd
S.5..UGT    /usr/bin/ftpcount
S.5..UGT    /usr/bin/ftpdctl
S.5..UGT    /usr/bin/ftptop
S.5..UGT    /usr/bin/ftpwho
S.5..UGT    /usr/sbin/ftpshut
.....UG.    /usr/sbin/in.proftpd
S.5..UGT    /usr/sbin/proftpd
I know that "c" means configuration file.
The man page explains the other codes
Quote:
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
But here's my question. Should I worry about rpm reporting so many file changes? And is there anything I should do?
This is a dedicated server. The host reformatted and reinstalled the software on August 24. A lot of the listed files are like this:
-rwxr-xr-x 1 ftp ftp 616208 Aug 24 14:46 /usr/sbin/proftpd
It looks as though the files weren't pulled from the repository but installed some other way by my host?

Thanks in advance..

Last edited by cnmoore; 09-08-2010 at 01:27 PM.
 
Old 09-08-2010, 06:03 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,064

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
I can't fully answer your question, but I'll have a go at what I can, and in as much as I can help.

Firstly, I'd guess that you are only looking at this because you have some level of concern that something nasty might happen either currently or that it might happen in the future, and that you need to get a reference.

The first thing is that, in some cases, there can be very good reasons for changes. Particularly for config files, if you have hand-edited the config file after installing, then it will have changed. Of course, if the worry is that some evildoer has had access to your system, just because you have hand-edited a file does not mean that someone else hasn't edited, it as well.

So, I think the first thing to think about is whether the app being configured has a security implication; if it has, then you'll want to investigate any change to a config file, but there may be some applications for which you can feel that there isn't much of a risk and particularly if you can actually remember making some changes by hand, you probably don't need to get too excited. OTOH, if the app is security-critical and you can't remember making changes by hand, it can't hurt to have a look, can it?

(Actually, remember is the wrong word; in most circumstances, there should be a definitive log for each server, not a question of whether you can remember, or whether maybe a co-worker did something. Don't keep this as a file on the server in question!)

For anything that is executable (for example, your stuff in /usr/bin and /usr/sbin) and for libraries, changes in md5 checksum, size or permissions are worth a further look, as you wouldn't really expect those to happen. If the changes happened at the time of install, or when you did an update from repos, the chances are strong that it is actually to do with the install/update process...or you got cracked very rapidly!

Really, what you should do is to run rp -Va immediately after every install/update and copy the data off to another machine. Then, at every time in the future when you feel the need to check (or when you run it from cron/anacron) you can refer back against a reference result, which makes a lot more sense than trying to do too much interpretation of 'noisy' and 'subject to interpretation' results.
 
Old 09-08-2010, 06:48 PM   #3
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Thanks! I myself never edit system files. I did a yum update Sep 2 and collected 2 security patches for the kernel. Any other changes were done by my host or conceivably by bad guys.

On August 15 our host reported "We found a system wide compromise of web sites in which the servers' httpd.conf file was modified. We have upgraded apache and recompiled php and we believe the issue is fixed."

On August 18 host reported a DDoS on another of their servers. So I think new malware attacks are somewhat possible.

We were reformatted on August 24.

I only very recently learned that our host does not automatically update dedicated servers. So I'm learning how to do this myself. And still uncertain what to look for.

I'm a real n00b.

Every day I run 'find -name "*.conf" -mtime -1', and also have a look at 'last'. There are probably other checks I should be doing..

Last edited by cnmoore; 09-08-2010 at 06:49 PM.
 
Old 09-08-2010, 08:01 PM   #4
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,225

Rep: Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521
i would not worry too much at this point .

in /var/log/yum.log
is a list of what and when rpms were installed with yum
seeing as they reformated on the 24 - ignore entrys before that
the host company reinstalled from a backup

i would look at the awstats log ( if it is installed) or the httpd.log for unusual activity

if the host allows rkhunter and ckrootkit to be ran install and run
rkhunter has an option ( --propupd ) to make a change file and see what has been changed between the time that is was ran last and now
see" man rkhunter " once installed
on cent 5 "yum install rkhunter"

Last edited by John VV; 09-08-2010 at 08:12 PM.
 
Old 09-08-2010, 09:22 PM   #5
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
I think the system was mostly restored from some image, but host installed new 64-bit CentOS 5.5. Wow, big increase in speed!

Host ran rkhunter on Sep 1, according to the rkhunter.log.
The log has some warnings about commands replaced with scripts but as far as I can tell those are legit.
There were quite a few tests disabled, like this
"Info: Test 'deleted_files' disabled at users request."
Everything else was 'OK'
All the rootkit checks were 'Not found'.

I have now run rkhunter --propupd.

Neither awstats.log nor httpd.log seem to exist. However there are various logfiles in /var/log/httpd
which I have looked at.

Many thanks to salasi and you for taking an interest and helping me.

Last edited by cnmoore; 09-08-2010 at 09:25 PM.
 
Old 09-08-2010, 10:22 PM   #6
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,225

Rep: Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521Reputation: 2521
Quote:
The log has some warnings about commands replaced with scripts but as far as I can tell those are legit.
that is normal for rhel/cent/fedora
as for the log, it has been a while since i admind a server so
the /var/log/httpd is fine

you might want to look into AWstats it is a nice tool and nicely showed me that univ of Chi. was tring to dl EVERYTHING and not just "normal" downloads


do some research on securing a server
you can go from the " i do not care" to the "tin foil hat" extremes

security is always a compromise

one thing that is recommended often is to use "wget" to clone the web site. Keep it up to date and use that KNOWN GOOD copy to look for changes
the code/programming tool "diff " can do that
but that is starting to get close to the "tin foil hat" extreme

keep centOS 5.5 up to date and have SE set to "enforcing" and that will stop about 99% of "cracking"
and use a very good root password - no pet names or like
 
Old 09-08-2010, 11:02 PM   #7
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
All my /home/ users have tar.gz backups, and for the forum which is the main thing on the server I do a mysqldump every night and also a tar of public_html.

But it would be nice to have a clone of the rest. I am lost in the wget manual - what would be the command to mirror the server but exclude the /home/tree? And also I'd think, exclude logs?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
square brackets in output of "ps aux" not matching output of "ps -ejH" alirezan1 Linux - Newbie 14 07-14-2010 05:17 AM
printing hh in hh:mm using "awk '{FS=":";print $1}'" misses first line of output!! mayankmehta83 Linux - Newbie 2 12-03-2009 03:55 AM
"failed to execute child process" "Input/output error" fl.bratu Fedora 4 12-15-2008 05:03 AM
Syslinux doesn't correctly interpret kernel="/foo/bar" command lumix Linux - Newbie 4 06-19-2008 01:15 PM
Feeding the output of "diff" or "cat" command to dpkg --purge kushalkoolwal Debian 9 06-19-2008 08:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration