Back Door message + permission changes
Mandriva 2009
Hi There - checking through my 'security.log' this morning, came across the messages below. Over the this last weekend have updated my system through the usual channel, almost 404 files. Also have a lot of permission changes indicated, can I change these files to what the message says. I am a newbie on Linux, so am a bit paranoid about security at the moment, so is this anything to worry about please, or could it be to the updated files I insalled. ************************************************************************************************** Security Warning: the md5 checksum for one of your SUID files has changed, maybe an intruder modified one of these suid binary in order to put in a backdoor... - Checksum changed file : /home/jerry/tmp/daily.0/localhost/bin/ping - Checksum changed file : /home/jerry/tmp/daily.0/localhost/bin/su - Checksum changed file : /home/jerry/tmp/daily.0/localhost/sbin/mount.nfs - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/ping6 - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/pulseaudio - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/sperl5.10.0 - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/bin/Xwrapper - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/lib/kde4/libexec/kcheckpass - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/sbin/traceroute6 - Checksum changed file : /home/jerry/tmp/daily.0/localhost/usr/sbin/usernetctl - Checksum changed file : /home/jerry/tmp/daily.1/localhost/usr/bin/gpgsm - Checksum changed file : /home/jerry/tmp/daily.1/localhost/usr/lib/ssh/ssh-keysign Security Warning: There are modifications for port listening on your machine : - Opened ports : udp 0 0 localhost:40325 *:* 21487/skype - Closed ports : udp 0 0 localhost:56645 *:* 4528/skype Security Warning: There are modifications for chkrootkit results : - Added : ! root 21159 tty7 /etc/X11/X -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-mc9pBQ - Removed : ! root 4013 tty7 /etc/X11/X -deferglyphs 16 -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-mc9pBQ *** Security Check, Mon Sep 13 04:15:49 BST 2010 *** *************************************************************************************************** *************************************************************************** Permissions changes on system files: Wrong permissions of /etc/rc.d/init.d/netfs: should be 744 Wrong permissions of /etc/profile.d/50glib20.csh: should be 755 Wrong permissions of /etc/rc.d/init.d/netconsole: should be 744 Wrong permissions of /etc/rc.d/init.d/nfs-common: should be 744 Wrong permissions of /etc/rc.d/init.d/single: should be 744 Wrong permissions of /etc/profile.d/90ssh-askpass.csh: should be 755 Wrong permissions of /etc/rc.d/init.d/halt: should be 744 Wrong permissions of /etc/rc.d/init.d/mandrake_firstime: should be 744 Wrong permissions of /etc/profile.d/10lang.csh: should be 755 Wrong permissions of /etc/profile.d/openoffice.org.sh: should be 755 Wrong permissions of /etc/profile.d/30python.sh: should be 755 Wrong permissions of /etc/rc.d/init.d/killall: should be 744 Wrong permissions of /etc/profile.d/90ssh-client.sh: should be 755 Wrong permissions of /etc/rc.d/init.d/irqbalance: should be 744 Wrong permissions of /etc/profile.d/openoffice.org.csh: should be 755 Wrong permissions of /etc/profile.d/10tmpdir.csh: should be 755 Wrong group of /: should be adm Wrong permissions of /: should be 755 Wrong permissions of /var/log/cups/access_log: should be 640 Wrong permissions of /etc/rc.d/init.d/sshd: should be 744 Wrong permissions of /etc/profile.d/10inputrc.sh: should be 755 Wrong permissions of /etc/rc.d/init.d/vdr: should be 744 Wrong permissions of /etc/rc.d/init.d/portreserve: should be 744 Wrong permissions of /etc/profile.d/10lang.sh: should be 755 Wrong permissions of /etc/profile.d/90qtdir3.sh: should be 755 Wrong permissions of /var/log/cups/error_log: should be 640 Wrong permissions of /etc/rc.d/init.d/acpid: should be 744 Wrong permissions of /etc/rc.d/init.d/msec: should be 744 Wrong permissions of /etc/rc.d/init.d/ip6tables: should be 744 Wrong permissions of /etc/rc.d/init.d/network-up: should be 744 Wrong permissions of /etc/rc.d/init.d/network: should be 744 Wrong permissions of /etc/rc.d/init.d/mandrake_everytime: should be 744 Wrong permissions of /etc/rc.d/init.d/partmon: should be 744 Wrong permissions of /home/lost+found: should be 755 Wrong permissions of /etc/rc.d/init.d/mdadm: should be 744 Wrong permissions of /etc/profile.d/90qtdir3.csh: should be 755 Wrong permissions of /var/log/ConsoleKit/history: should be 640 Wrong permissions of /etc/profile.d/10tmpdir.sh: should be 755 Wrong permissions of /etc/rc.d/init.d/cups: should be 744 Wrong permissions of /etc/rc.d/init.d/udev-post: should be 744 Wrong permissions of /etc/rc.d/init.d/ntpd: should be 744 Wrong permissions of /etc/rc.d/init.d/dm: should be 744 Wrong permissions of /usr/lost+found: should be 755 Wrong permissions of /etc/rc.d/init.d/network-auth: should be 744 Wrong permissions of /etc/profile.d/90ssh-askpass.sh: should be 755 Wrong permissions of /etc/profile.d/50glib20.sh: should be 755 Wrong permissions of /etc/rc.d/init.d/iptables: should be 744 Wrong permissions of /etc/profile.d/10inputrc.csh: should be 755 Wrong permissions of /etc/rc.d/init.d/mandi: should be 744 Wrong permissions of /var/log/cups/page_log: should be 640 Wrong permissions of /etc/profile.d/kde4.sh: should be 755 Wrong permissions of /home/simon: should be 755 Wrong permissions of /etc/rc.d/init.d/shorewall: should be 744 Wrong permissions of /etc/profile.d/30python.csh: should be 755 ************************************************************************** Thanks for looking. |
Quote:
Quote:
Quote:
Quote:
Quote:
|
Thank you again uSpawn for taking the time to answer
my questions. Have just received your answer so will take some time to digest and then take some action. ************************************************** Another query that perhaps you could help with please. When you first download any linux version, do you have to set up the root account as 'admin', or is this done automatically. Looking at the above messages about permissions, it seems to me that I should set root as 755 'admin'. Sorry about the silly questions but am getting a bit bogged down with my understanding of linux. Do appreciate you taking the time to look at this, also for your input. Thanks |
Quote:
Quote:
|
Thank you uSpawn.
Will change the message rule you described. I am indebted to you for all your help and advice. Best wishes and thanks again. |
Hi uSpawn -
Recently you helped me with some questions I had on permissions which were thrown up in the /var/log/security.log, also a few hic-cups I had with #rkhunter. Most of your advice has been actioned except for the items below. Could you point me in the right direction to find these files please, and how would I go about changing them as instructed by the message. Am not sure what #user=nobody is or where it is at. Thanks again for looking at my questions. ******************************************************************************** Permissions changes on system files Security Warning: these home directory should not be owned by someone else or writable : user=nobody(65534) : home directory is group writable. user=nobody(65534) : home directory is other writable. user=messagebus(13) : home directory is group writable. user=messagebus(13) : home directory is other writable. user=polkituser(14) : home directory is group writable. user=polkituser(14) : home directory is other writable. user=haldaemon(15) : home directory is group writable. user=haldaemon(15) : home directory is other writable. user=rpc(16) : home directory is group writable. user=rpc(16) : home directory is other writable. ************************************************************************************** |
Quote:
|
Thanks again uSpawn for explaining the above.
You say that basically the check is superfluous and the rule could be disabled or deleted. Hope this does not sound a stupid question, but most of these files have the '*' behind them, which I presume means 'all files', so can I just delete that file, even with the "*". These 2 files #user=nobody(65534) : home directory is group writable, after using #getent passwd nobody it shows the file "sh@" (without the "). I am not sure what the "@" stands for, and will it be ok to delete these files. I realize you are extremely busy answering more important questions, but thank you again, I do appreciate your time and attention. |
Quote:
Quote:
Quote:
|
Thank you again unSpawn - sorry about my last typo in your non due plume.
Sorry I have not replied sooner, but have a few problems with my Internet. The telephone line sees to have a lot of noise on the line at the moment. Have checked my logs regarding my last question too you, and it seems as if they have disappeared. But will continue to monitor them as a priority. Have noticed that several of the log files keep changing their permissions, but am guessing that some software is changing that as well, so will have to also dig deeper on that as well. Thank you again for all your help, I think that all my questions have been answered on my original question, so can I presume that is now closed. If I have any other query's, may I ask your permission to contact you again and as for further help. Your advice and input has been most appreciated. Thank you and good luck. |
Quote:
Quote:
|
All times are GMT -5. The time now is 08:22 PM. |