LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Back Door message + permission changes (https://www.linuxquestions.org/questions/linux-security-4/back-door-message-permission-changes-831861/)

High-gain 09-13-2010 05:30 AM
Back Door message + permission changes
 
Mandriva 2009
Hi There -
checking through my 'security.log' this morning, came across the
messages below. Over the this last weekend have updated my system through
the usual channel, almost 404 files. Also have a lot of permission changes
indicated, can I change these files to what the message says.
I am a newbie on Linux, so am a bit paranoid about security at the moment, so
is this anything to worry about please, or could it be to the updated files
I insalled.

**************************************************************************************************
Security Warning: the md5 checksum for one of your SUID files has changed,
maybe an intruder modified one of these suid binary in order to put in a backdoor...
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/bin/ping
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/bin/su
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/sbin/mount.nfs
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/ping6
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/pulseaudio
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/sperl5.10.0
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/Xwrapper
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/lib/kde4/libexec/kcheckpass
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/sbin/traceroute6
- Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/sbin/usernetctl
- Checksum changed file : /home/jerry/tmp/daily.1/localhost/usr/bin/gpgsm
- Checksum changed file : /home/jerry/tmp/daily.1/localhost/usr/lib/ssh/ssh-keysign

Security Warning: There are modifications for port listening on your machine :
- Opened ports : udp 0 0 localhost:40325 *:* 21487/skype
- Closed ports : udp 0 0 localhost:56645 *:* 4528/skype

Security Warning: There are modifications for chkrootkit results :
- Added : ! root 21159 tty7 /etc/X11/X -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-mc9pBQ
- Removed : ! root 4013 tty7 /etc/X11/X -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-mc9pBQ


*** Security Check, Mon Sep 13 04:15:49 BST 2010 ***

***************************************************************************************************

***************************************************************************
Permissions changes on system files:
Wrong permissions of /etc/rc.d/init.d/netfs: should be 744
Wrong permissions of /etc/profile.d/50glib20.csh: should be 755
Wrong permissions of /etc/rc.d/init.d/netconsole: should be 744
Wrong permissions of /etc/rc.d/init.d/nfs-common: should be 744
Wrong permissions of /etc/rc.d/init.d/single: should be 744
Wrong permissions of /etc/profile.d/90ssh-askpass.csh: should be 755
Wrong permissions of /etc/rc.d/init.d/halt: should be 744
Wrong permissions of /etc/rc.d/init.d/mandrake_firstime: should be 744
Wrong permissions of /etc/profile.d/10lang.csh: should be 755
Wrong permissions of /etc/profile.d/openoffice.org.sh: should be 755
Wrong permissions of /etc/profile.d/30python.sh: should be 755
Wrong permissions of /etc/rc.d/init.d/killall: should be 744
Wrong permissions of /etc/profile.d/90ssh-client.sh: should be 755
Wrong permissions of /etc/rc.d/init.d/irqbalance: should be 744
Wrong permissions of /etc/profile.d/openoffice.org.csh: should be 755
Wrong permissions of /etc/profile.d/10tmpdir.csh: should be 755
Wrong group of /: should be adm
Wrong permissions of /: should be 755
Wrong permissions of /var/log/cups/access_log: should be 640
Wrong permissions of /etc/rc.d/init.d/sshd: should be 744
Wrong permissions of /etc/profile.d/10inputrc.sh: should be 755
Wrong permissions of /etc/rc.d/init.d/vdr: should be 744
Wrong permissions of /etc/rc.d/init.d/portreserve: should be 744
Wrong permissions of /etc/profile.d/10lang.sh: should be 755
Wrong permissions of /etc/profile.d/90qtdir3.sh: should be 755
Wrong permissions of /var/log/cups/error_log: should be 640
Wrong permissions of /etc/rc.d/init.d/acpid: should be 744
Wrong permissions of /etc/rc.d/init.d/msec: should be 744
Wrong permissions of /etc/rc.d/init.d/ip6tables: should be 744
Wrong permissions of /etc/rc.d/init.d/network-up: should be 744
Wrong permissions of /etc/rc.d/init.d/network: should be 744
Wrong permissions of /etc/rc.d/init.d/mandrake_everytime: should be 744
Wrong permissions of /etc/rc.d/init.d/partmon: should be 744
Wrong permissions of /home/lost+found: should be 755
Wrong permissions of /etc/rc.d/init.d/mdadm: should be 744
Wrong permissions of /etc/profile.d/90qtdir3.csh: should be 755
Wrong permissions of /var/log/ConsoleKit/history: should be 640
Wrong permissions of /etc/profile.d/10tmpdir.sh: should be 755
Wrong permissions of /etc/rc.d/init.d/cups: should be 744
Wrong permissions of /etc/rc.d/init.d/udev-post: should be 744
Wrong permissions of /etc/rc.d/init.d/ntpd: should be 744
Wrong permissions of /etc/rc.d/init.d/dm: should be 744
Wrong permissions of /usr/lost+found: should be 755
Wrong permissions of /etc/rc.d/init.d/network-auth: should be 744
Wrong permissions of /etc/profile.d/90ssh-askpass.sh: should be 755
Wrong permissions of /etc/profile.d/50glib20.sh: should be 755
Wrong permissions of /etc/rc.d/init.d/iptables: should be 744
Wrong permissions of /etc/profile.d/10inputrc.csh: should be 755
Wrong permissions of /etc/rc.d/init.d/mandi: should be 744
Wrong permissions of /var/log/cups/page_log: should be 640
Wrong permissions of /etc/profile.d/kde4.sh: should be 755
Wrong permissions of /home/simon: should be 755
Wrong permissions of /etc/rc.d/init.d/shorewall: should be 744
Wrong permissions of /etc/profile.d/30python.csh: should be 755
**************************************************************************

Thanks for looking.

unSpawn 09-13-2010 05:43 PM
Quote:
Originally Posted by High-gain (Post 4095910)
MSecurity Warning: the md5 checksum for one of your SUID files has changed, maybe an intruder modified one of these suid binary in order to put in a backdoor...
Check the MD5 with that from your installed package ("/home/jerry/tmp/daily.0/localhost/bin/ping" means "/bin/ping", so 'rpm -qf /bin/ping' shows the package name, 'rpm -Vv `rpm -qf /bin/ping`;' verifies the package contents integrity and 'rpm -Vv `rpm -qf /bin/ping`|grep -v '^\.\{8\}';' verifies package contents integrity listing only changes). It's good to know which tools your system uses and that you can always download a copy of a package from a known-good source just in case. BTW, if an intruder manages to replace a root-owned binary in a root-owned directory with a subverted copy of his own then one has have bigger problems than the setuid bit as replacing it requires root account rights.


Quote:
Originally Posted by High-gain (Post 4095910)
Security Warning: There are modifications for port listening on your machine :
- Opened ports: udp 0 0 localhost:40325 *:* 21487/skype
- Closed ports: udp 0 0 localhost:56645 *:* 4528/skype
It's good to know which tools your system uses and what their output is. We're looking at the result of a simple (and I mean simple) check using output of the default 'netstat' tool. The first bolded values are local port numbers. As see here they're ephemeral (high numbers: see /proc/sys/net/ipv4/ip_local_port_range) which often denote transient (short-lived) processes and those port numbers are usually not linked to any IANA designations (see /etc/services). The second bolded values are PIDs or Process Ids which change each time a process dies. What I'm saying is that those port numbers and PIDs will change so you will see this message a lot (and I mean a lot). Don't conclude the test is useless as you should be alert for processes you don't recognize, like having a "PID/httpd" if you don't run a webserver or having a "PID/httpd" running while 'cat /proc/PID/cmdline' says it's a Perl process.


Quote:
Originally Posted by High-gain (Post 4095910)
Security Warning: There are modifications for chkrootkit results :
- Added: ! root 21159 tty7 /etc/X11/X -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-mc9pBQ
- Removed: ! root 4013 tty7 /etc/X11/X -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-mc9pBQ
We're looking at output of Chkrootkits 'chkutmp' test. The Msec warning is incomplete as 'chkutmp' will say "The tty of the following user process(es) were not found" and end with (if all went well) "chkutmp: nothing deleted", meaning the processes are attached to a tty but no audit record was found in /var/run/utmp. This is regular behaviour for processes that wait for a login to occur.


Quote:
Originally Posted by High-gain (Post 4095910)
Wrong permissions of (..): should be 744
Running 'rpm -qf /some/item' shows the package name after which 'rpm -q --dump [packagename]|grep '/some/item';' will show, among other details, the items access mode. By knowing that value you can make an educated guess if it should be changed. However...


Quote:
Originally Posted by High-gain (Post 4095910)
Wrong group of /: should be adm
Wrong permissions of /: should be 755
... be careful changing things as b0rkage may occur. "/" will usually be owned by root user and group and have octal 0755 access mode.

High-gain 09-14-2010 01:29 AM
Thank you again uSpawn for taking the time to answer
my questions.
Have just received your answer so will take some time
to digest and then take some action.

**************************************************
Another query that perhaps you could help with please.

When you first download any linux version,
do you have to set up the root account as 'admin',
or is this done automatically.
Looking at the above messages about permissions, it
seems to me that I should set root as 755 'admin'.

Sorry about the silly questions but am getting a bit
bogged down with my understanding of linux.

Do appreciate you taking the time to look at this,
also for your input.
Thanks

unSpawn 09-14-2010 04:16 PM
Quote:
Originally Posted by High-gain (Post 4096771)
will take some time to digest and then take some action.
Take your time.


Quote:
Originally Posted by High-gain (Post 4096771)
When you first download any linux version, do you have to set up the root account as 'admin', or is this done automatically. Looking at the above messages about permissions, it seems to me that I should set root as 755 'admin'.
That's just plain wrong. "root" or "/" is the, well, root of the file system. It should be owned by user and group root and have octal mode 0775 access rights. I don't know Msecs rationale for having it owned by any other user. The Mandrake / Mandriva Control Center allows you access to msecgui via the "security" tab where you can change check interval, disable certain checks or add, change or delete rules (permissons tab) and have them (not) enforced. I'd delete the rule.

High-gain 09-15-2010 03:08 AM
Thank you uSpawn.

Will change the message rule you described.

I am indebted to you for all your
help and advice.

Best wishes and thanks again.

High-gain 09-17-2010 01:42 PM
Hi uSpawn -
Recently you helped me with some questions I had
on permissions which were thrown up in the /var/log/security.log, also
a few hic-cups I had with #rkhunter.

Most of your advice has been actioned except for the items below.

Could you point me in the right direction to find these files please,
and how would I go about changing them as instructed by the message.
Am not sure what #user=nobody is or where it is at.

Thanks again for looking at my questions.

********************************************************************************
Permissions changes on system files

Security Warning: these home directory should not be owned by someone else or writable :
user=nobody(65534) : home directory is group writable.
user=nobody(65534) : home directory is other writable.
user=messagebus(13) : home directory is group writable.
user=messagebus(13) : home directory is other writable.
user=polkituser(14) : home directory is group writable.
user=polkituser(14) : home directory is other writable.
user=haldaemon(15) : home directory is group writable.
user=haldaemon(15) : home directory is other writable.
user=rpc(16) : home directory is group writable.
user=rpc(16) : home directory is other writable.
**************************************************************************************

unSpawn 09-18-2010 03:49 AM
Quote:
Originally Posted by High-gain (Post 4100954)
user=[ACCOUNT]([UID]) : home directory is group writable.
user=[ACCOUNT]([UID]) : home directory is other writable.
ACCOUNT is the account name and UID is the numerical value of the same. If you run 'getent passwd nobody' you will see that the 6th field (colon-separated) is the accounts home. Run this for each user=[ACCOUNT] and you'll find most homes will be "/" as these are system accounts. Running 'stat -c %a /' shows the access rights as before which should return "755", so basically the check is superfluous and the rule could be disabled or deleted.

High-gain 09-19-2010 02:41 AM
Thanks again uSpawn for explaining the above.

You say that basically the check is superfluous and the rule
could be disabled or deleted. Hope this does not sound a
stupid question, but most of these files have the '*' behind
them, which I presume means 'all files', so can I just delete
that file, even with the "*".

These 2 files
#user=nobody(65534) : home directory is group writable,

after using
#getent passwd nobody

it shows the file "sh@" (without the ").

I am not sure what the "@" stands for, and will it be ok to delete
these files.

I realize you are extremely busy answering more important questions,
but thank you again, I do appreciate your time and attention.

unSpawn 09-20-2010 01:14 PM
Quote:
Originally Posted by High-gain (Post 4102267)
uSpawn
Not as in U-turn: there's a "n" in there somewhere.


Quote:
Originally Posted by High-gain (Post 4102267)
most of these files have the '*' behind them, which I presume means 'all files', so can I just delete that file, even with the "*".
Uh. Could you list these rules (text or screenshot)? I'm not sure I can see them in Msec.


Quote:
Originally Posted by High-gain (Post 4102267)
extremely busy answering more important questions
Your questions are as important as any other members'.

High-gain 09-21-2010 04:17 PM
Thank you again unSpawn - sorry about my last typo in your non due plume.

Sorry I have not replied sooner, but have a few problems with my Internet.
The telephone line sees to have a lot of noise on the line at the moment.

Have checked my logs regarding my last question too you, and it seems as if
they have disappeared. But will continue to monitor them as a priority.

Have noticed that several of the log files keep changing their permissions,
but am guessing that some software is changing that as well, so will have to
also dig deeper on that as well.

Thank you again for all your help, I think that all my questions have been
answered on my original question, so can I presume that is now closed.

If I have any other query's, may I ask your permission to contact you again and
as for further help.

Your advice and input has been most appreciated. Thank you and good luck.

unSpawn 09-21-2010 05:13 PM
Quote:
Originally Posted by High-gain (Post 4104926)
Have noticed that several of the log files keep changing their permissions, but am guessing that some software is changing that as well, so will have to also dig deeper on that as well.
With the right documentation and tools, do search LQ for specific terms or similar threads, at hand there's no need for guessing.


Quote:
Originally Posted by High-gain (Post 4104926)
If I have any other query's, may I ask your permission to contact you again and as for further help.
You don't need any permission: we're a freely accessible forum and there's many fellow members here that will help you.


All times are GMT -5. The time now is 08:22 PM.