LinuxQuestions.org - Backdoor.Linux.Small & Linux.Plupii

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Backdoor.Linux.Small & Linux.Plupii - Debian DSA-789-1 (https://www.linuxquestions.org/questions/linux-security-4/backdoor-linux-small-and-linux-plupii-debian-dsa-789-1-a-530258/)

Backdoor.Linux.Small & Linux.Plupii - Debian DSA-789-1

Hi all,

It seems I might of had this exploit on my server. Although, DSA-789-1 is fixed in sarge and php 4.3.10-16 (I have 4.3.10-18).

Here's what I found:

apache wasn't taking incoming connections, so I dug deep

Code:

server:/proc/15812# ps ax | grep apache

15812 ?        Ss    0:00 ./apache

10343 pts/0    S+    0:00 grep apache

Code:

server:/proc/15812# cat environ

PATH=/usr/local/bin:/usr/bin:/bin_=./apachePWD=/tmpLANG=CSHLVL=2

Code:

server:/proc/15812# ll /tmp/ -h

total 143M

-rw-r--r--  1 www-data www-data 1.5K Feb  2 11:34 BlueMarble.kml

-rw-r--r--  1 www-data www-data 143M Feb  6 21:42 WYD747.exe 

-rwxrwxrwx  1 www-data www-data  19K May 13  2006 apache

drwx------  2 david    david    4.0K Jan 22 14:24 vmware-david

Code:

server:/proc/15812# md5sum /tmp/apache

cd10c520f924110d311b202a9f715b03  /tmp/apache 



server:/proc/15812# md5sum  /usr/sbin/apache2ctl

0bae0b8f1088d3641659e4e8d9ef32b2  /usr/sbin/apache2ctl 



server:/proc/15812# md5sum  /usr/sbin/apache2

cc8722680ff76f17b0f2bf3fc3c5bc76  /usr/sbin/apache2

Code:

server:/proc/15812# ll -h  /usr/sbin/apache2 

-rwxr-xr-x  1 root root 376K Jul 28  2006 /usr/sbin/apache2 



server:/proc/15812# ll -h  /usr/sbin/apache2ctl 

-rwxr-xr-x  1 root root 3.1K Jul 28  2006 /usr/sbin/apache2ctl 



server:/proc/15812# ll -h  /tmp/apache 

-rwxrwxrwx  1 www-data www-data 19K May 13  2006 /tmp/apache

Found this little bit in the binary /tmp/apache

Code:

bcde0123456789abcdef/dev/ptmx/dev/pty/dev/ttysocketbindlisten

 Innocent Boys backdoor =]

 Binding the %d

OK, pid = %d

//dev/nullsh-i/tmpHOME=/tmpCan't fork pty, bye!

/bin/sd

Code:

tcp        0      0 0.0.0.0:9865            0.0.0.0:*              LISTEN    15812/apache

tcp6      0      0 :::80                  :::*                    LISTEN    15812/apache

Can't telnet in from external on port 9865 because its behind a router.

I can put up the the binary that was used, if anyone wants to look at it.

I am thinking it might be a variant on the known exploit. Maybe I need to report to Debian bugs ?

Thanks for any tips or information.

Backdoor running as system user, usually due to lax security settings or running bad PHP applications.

Can't telnet in from external on port 9865 because its behind a router.
Nor would you want to. It's uninteresting: take your loss and move on.
Mitigate (pull the plug), verify (start here: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...hecklist.html), backup (start here: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html), investigate, rebuild from scratch (LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261)

It seems I might of had this exploit on my server.
Check your logs for clues.

I can put up the the binary that was used, if anyone wants to look at it.
I'm interested, as always.

Thanks I will follow that. I meant to mention that I ran tripwire and it found nothing changed. I have also ran bastille when I set the server up to harden it. Also have rkhunter and chkrootkit running on cron jobs.

How did this exploit get onto my system ? I haven't any xmlrpc.php like files on the system. I have changed www-data's shell from /bin/sh /bin/false. would that help prevention ?

[REMOVED]

I meant to mention that I ran tripwire and it found nothing changed.
When was that database last generated? What toplevel directories does it cover?

I have also ran bastille when I set the server up to harden it.
Bastille-Linux is a hardening tool that allows you to opt out for applying some measures, right?
So running that doesn't necessarily mean you set everything, and everything as strict as possible, right?

Also have rkhunter and chkrootkit running on cron jobs.
What versions do you run? With respect to Rootkit Hunter (abbev.: RKH), what tests did you disable? RKH-1.2.9 nor CRT-0.47a cover stuff dumped in say /tmp right now but RKH will cover a lot more in the upcoming release though, including an option to scan arbitrary directories for signs of malware (and I should know ;-p).

I have changed www-data's shell from /bin/sh /bin/false.
Shouldn't that have been an inert shell in the first place?

would that help prevention ?
It won't if PHP-based apps still allow one to perform system commands.

How did this exploit get onto my system ? I haven't any xmlrpc.php like files on the system.
Don't concentrate on one thing. The most important thing now is to mitigate the risk and "restore" (not "system restore" as in place back a backup) the situation back to normal. Here's your projected route in a slightly more elaborate way:

1. Read the Intruder Detection Checklist so you know what to do,
2. Notify anyone who has access to the system it's been compromised and to stay off it,
3. Save open files, process and network data listings first then regain full control over the situation by minimally shutting down all non-essential services and raising the firewall. If there are doubts about the effectiveness of this (vs the severity of the breach) power down the box and only boot with a Live CD,
4. After stabilising prepare /etc/and /var backups and make backups for reference (not reuse) (see the "Steps for Recovering..." doc),
5. Investigate (if necessary). Use the steps from the Intruder Detection Checklist. Inspect and report back looking minimally at these (if available):
- (changes in or logged reports about) system authentication data,
- IDS (Snort, Prelude, router logs, filesystem integrity checkers, package manager if good enough),
- all system, daemon and firewall logs,
- installed SW (and was all SW updated?),
- running services,
- unusual (setuid root) files,
- user shell histories.
When you report back separate posting exact and factual information from hints, hunches and gut feelings. What you report back will be seen as "evidence" to help your reach a "verdict" which should justify taking the next steps:
6. repartition, reformat, re-install from scratch,
7. harden (LQ FAQ: Security references).

HTH

Quote:

Originally Posted by unSpawn

I meant to mention that I ran tripwire and it found nothing changed.
When was that database last generated? What toplevel directories does it cover?

I stuck with the Debian default. I can post the config here if you like. I kept the database on an encfs so one has to have a password to mount it and use it. It only ever mounted and umounted manually by me and never left mounted.

Quote:

Originally Posted by unSpawn

I have also ran bastille when I set the server up to harden it.
Bastille-Linux is a hardening tool that allows you to opt out for applying some measures, right?
So running that doesn't necessarily mean you set everything, and everything as strict as possible, right?

I pretty much turned it all one. There was one thing I remember not agreeing with for some reason, but basically I cant do much as a normal user. Its been annoying but needed so it hasn't bothered me.

Quote:

Originally Posted by unSpawn

Also have rkhunter and chkrootkit running on cron jobs.
What versions do you run? With respect to Rootkit Hunter (abbev.: RKH), what tests did you disable? RKH-1.2.9 nor CRT-0.47a cover stuff dumped in say /tmp right now but RKH will cover a lot more in the upcoming release though, including an option to scan arbitrary directories for signs of malware (and I should know ;-p).

server:/etc/tripwire# rkhunter --version
Rootkit Hunter 1.2.9
server:/etc/tripwire# chkrootkit -V
chkrootkit version 0.44

I don't recall disabling any tests.

Quote:

Originally Posted by unSpawn

I have changed www-data's shell from /bin/sh /bin/false.
Shouldn't that have been an inert shell in the first place?

inert? What do you mean ?
I would of thought Debian stable would of not given system users a shell that didn't need it. :confused:

Quote:

Originally Posted by unSpawn

would that help prevention ?
It won't if PHP-based apps still allow one to perform system commands.

I removed horde that I wasn't using and 2 other php wiki's that weren't being used at the moment. I also updated the one wiki I am using, PM wiki.

No mention of a security update in the change log though.

Quote:

Originally Posted by unSpawn

How did this exploit get onto my system ? I haven't any xmlrpc.php like files on the system.
Don't concentrate on one thing. The most important thing now is to mitigate the risk and "restore" (not "system restore" as in place back a backup) the situation back to normal. Here's your projected route in a slightly more elaborate way:

1. Read the Intruder Detection Checklist so you know what to do,
2. Notify anyone who has access to the system it's been compromised and to stay off it,
3. Save open files, process and network data listings first then regain full control over the situation by minimally shutting down all non-essential services and raising the firewall. If there are doubts about the effectiveness of this (vs the severity of the breach) power down the box and only boot with a Live CD,
4. After stabilising prepare /etc/and /var backups and make backups for reference (not reuse) (see the "Steps for Recovering..." doc),
5. Investigate (if necessary). Use the steps from the Intruder Detection Checklist. Inspect and report back looking minimally at these (if available):
- (changes in or logged reports about) system authentication data,
- IDS (Snort, Prelude, router logs, filesystem integrity checkers, package manager if good enough),
- all system, daemon and firewall logs,
- installed SW (and was all SW updated?),
- running services,
- unusual (setuid root) files,
- user shell histories.
When you report back separate posting exact and factual information from hints, hunches and gut feelings. What you report back will be seen as "evidence" to help your reach a "verdict" which should justify taking the next steps:
6. repartition, reformat, re-install from scratch,
7. harden (LQ FAQ: Security references).

HTH

Wow that will keep me busy for weeks to come!!

Here's what I found going through log tonight.

server:/log/apache# tail -n 1* error.log.1
[Sun Feb 18 06:27:55 2007] [notice] caught SIGTERM, shutting down

server:/log/apache# tail access.log.1 -n 1
65.55.208.62 - - [18/Feb/2007:05:55:34 +1100] "GET /software/ HTTP/1.0" 200 1485 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"

server:/log/apache# head access.log -n 1
10.1.1.115 - - [18/Feb/2007:15:32:15 +1100] "GET /me HTTP/1.1" 404 358 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux; x86_64) KHTML/3.5.5 (like Gecko) (Kubuntu)"

Down for 10 hours it seems. The SIGTERM command that it was issued is a concerned. I cant see any logs on who or how it was issued.

Other then that, nothing so far. I did a grep for apache in /var/log and nothing suspect came up.
I'll keep digging.

Would this be relevant ? A little before the SIGTERM was sent to apache

Code:

Feb 18 04:47:17 server sshd[24320]: Bad protocol version identification '\200\214\001\003\001' from ::ffff:72.30.177.96

Feb 18 04:47:23 server sshd[24322]: Bad protocol version identification '\200\214\001\003\001' from ::ffff:74.6.65.240

In loginlog.0

It just looks like a ssh login attempt using ipv6, no ?

Code:

Feb 18 06:25:02 server su[1665]: + ??? root:nobody

Feb 18 06:25:02 server su[1665]: (pam_unix) session opened for user nobody by (uid=0)

In auth.log.0

It also appears that syslog is stopped and and restarted by the system (to rotate logs I am assuming) at 6:25am and generally started again by 6:28. So this SIGTERM at 6:27:55 would of been missed by syslogd I think.

I'll react to your replies later on, but meanwhile I'd like to remark that it's best to first gather all data necessary and only *then* concentrate on details. The first, crucial and guiding question should be: "did they get root account access" because that justifies later actions to take. Then the second question should be: "what attack vector was used" because it shows what measures should be taken in the hardening phase. Wrt to posting information this means investigating changes in the filesystem, auth data and such should go first and httpd logs and such later on.

Does this look normal ?

Code:

server:/log# find / -user root -perm -4000 -print

/usr/bin/newgrp

/usr/bin/chfn

/usr/bin/chsh

/usr/bin/gpasswd

/usr/bin/passwd

/usr/bin/gpg

/usr/bin/mtr

/usr/bin/procmail

/usr/bin/sudo

/usr/bin/smbumount

/usr/bin/smbmnt

/usr/bin/lpr

/usr/bin/fusermount

/usr/bin/vmware-ping

/usr/lib/pt_chown

/usr/lib/ssh-keysign

/usr/lib/apache2/suexec2

/usr/lib/vmware/bin/vmware-vmx

/usr/lib/vmware/bin-debug/vmware-vmx

/usr/sbin/vmware-authd

/usr/X11R6/bin/X

/bin/login

/bin/su

find: /proc/5086/task/5086/fd/4: No such file or directory

/sbin/unix_chkpwd

Code:

find / -group kmem -perm -2000 -print

The above finds nothing.

Quote:

Originally Posted by unSpawn

The first, crucial and guiding question should be: "did they get root account access" because that justifies later actions to take.

Yeah thats exactly what I want to know.

So far I'd say no,apart from getting apache to shut down, thats the only alarming thing so far.

I am just about through the checklist; will hopefully finish that today.

I am just about through the checklist; will hopefully finish that today.
OK, I'll wait for that then.

Hectic day at work unfortunately, so haven't finished the checklist. (I think only a point to go though).

I did, however installed and ran tiger. What an awesome tool!! I love it already. Nothing too bad from the report, but I will post it when I get home tonight. I also stumbled across this:

Quote:

If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a 'post mortum' of a system. tct allows the user to collect information about deleted files, running processes and more.

To be continued......

So I finally got a chance to finish the checklist. Nothing else came up apart from what I have posted and ....

Running:

Code:

find / -name ".*" -print -xdev | cat -v

Returns alot of kernel source code.

It did finish with these entries

Code:

/tmp/.X11-unix

/tmp/.ICE-unix

/tmp/.X64-lock

/tmp/.font-unix

So I went into tmp to have a look and found this odd listing

Code:

server:/tmp# ll -a

total 96

drwxrwxrwt  6 root    root      4096 Feb 22 18:30 .

drwxr-xr-x  23 root    root      4096 Jan 19 12:39 ..

drwxrwxrwt  2 root    root      4096 Jan 22 01:35 .ICE-unix

drwxrwxrwt  2 root    root      4096 Jan 22 01:36 .X11-unix

-r--r--r--  1 root    root        11 Jan 22 01:36 .X64-lock

drwxrwxrwt  2 root    root      4096 Jan 22 01:36 .font-unix

-rwxr-xr-x  1 root    root    23538 Feb 22 18:20 a.out

-rw-r--r--  1 www-data www-data 19890 Feb 21 12:41 botnet.txt

-rwxrwxrwx  1 www-data www-data 23570 Feb 16 05:49 r0nin

drwx------  2 david    david    4096 Jan 22 14:24 vmware-david

so...

Code:

server:/tmp# file r0nin 

r0nin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped

server:/tmp# ll /tmp/r0nin 

-rwxrwxrwx  1 www-data www-data 23570 Feb 16 05:49 /tmp/r0nin

and..

Code:

server:/tmp# clamscan r0nin

r0nin: Linux.RST.B FOUND



----------- SCAN SUMMARY -----------

Known viruses: 90297

Engine version: 0.84

Scanned directories: 0

Scanned files: 1

Infected files: 1

Data scanned: 0.02 MB

Time: 6.854 sec (0 m 6 s)

and

Code:

server:/tmp# ll a.out 

-rwxr-xr-x  1 root root 23538 Feb 22 18:20 a.out



server:/tmp# clamscan a.out 

a.out: Linux.RST.B FOUND



----------- SCAN SUMMARY -----------

Known viruses: 90297

Engine version: 0.84

Scanned directories: 0

Scanned files: 1

Infected files: 1

Data scanned: 0.02 MB

Time: 6.778 sec (0 m 6 s)

Also checked out this "text" file that looks more like.

Code:

server:/tmp# ll botnet.txt 

-rw-r--r--  1 www-data www-data 19890 Feb 21 12:41 botnet.txt

server:/tmp# clamscan botnet.txt 

botnet.txt: OK



----------- SCAN SUMMARY -----------

Known viruses: 90297

Engine version: 0.84

Scanned directories: 0

Scanned files: 1

Infected files: 0

Data scanned: 0.02 MB

Time: 6.997 sec (0 m 6 s)

But copying it to here at work, Symantec AV picked it up straight away as

Quote:

IRC.Backdoor.Trojan

and deleted it.

Code:

server:/tmp# head -n 30 botnet.txt 

################ CONFIGURACAO #################################################################

my $processo = '/usr/locall/apache/bin/httpd -DSSL';                  # Nome do processo que vai aparece no ps      #

#----------------------------------------------################################################

my $linas_max='8';                            # Evita o flood :) depois de X linhas        #

#----------------------------------------------################################################

my $sleep='4';                                # ele dorme X segundos                        #

##################### IRC #####################################################################

my @adms=("Br4Nco","owned");                  # Nick do administrador                        #

#----------------------------------------------################################################

my @canais=("#packets");                          # Caso haja senha ("#canal :senha")            #

#----------------------------------------------################################################

my $nick='net';                    # Nick do bot. Caso esteja em uso vai aparecer #

                                              # aparecer com numero radonamico no final      #

#----------------------------------------------################################################

my $ircname = 'id';                          # User ID                                      #

#----------------------------------------------################################################

chop (my $realname = `uname -r`);              # Full Name                                    #

#----------------------------------------------################################################

$servidor='irc.quakenet.org' unless $servidor;    # Servidor de irc que vai ser usado            #

                                              # caso n?o seja especificado no argumento      #

#----------------------------------------------################################################

my $porta='6669';                              # Porta do servidor de irc                    #

################ ACESSO A SHELL ###############################################################

my $secv = 1;                                  # 1/0 pra habilita/desabilita acesso a shell  #

###############################################################################################



my $VERSAO = '0.2';



$SIG{'INT'} = 'IGNORE';

$SIG{'HUP'} = 'IGNORE';

And look what else I stumbled across...

Code:

server:/tmp# ll /root/a.out 

-rwxr-xr-x  1 root root 19421 Feb 21 14:12 /root/a.out



server:/tmp# clamscan /root/a.out 

/root/a.out: Trojan.Linux.Small.I FOUND



----------- SCAN SUMMARY -----------

Known viruses: 90297

Engine version: 0.84

Scanned directories: 0

Scanned files: 1

Infected files: 1

Data scanned: 0.02 MB

Time: 7.990 sec (0 m 7 s)

Looks like my server is becoming more of a honeypot Dear lord!! :rolleyes:

I am going to run clamscan on the entire system and see what else pops up.

Obviously, this system needs to be wiped out, but what can I do right now to make the most of it and find out how this happened ?

I have run tiger and will post the output on the next post.

Should I run snort on this ? I have been wanting to install it, but haven't even had a chance to start a tutorial. I did read someone say just apt-get it, follow the prompts and watch it log. Is it that simple ?

Tiger report

Code:

Security scripts *** 3.2.1, 2003.10.10.18.00 ***

Tue Feb 20 15:45:55 EST 2007

15:45> Beginning security report for server (GNU/Linux Linux 2.6.8-3-686).



# Performing check of passwd files...

# Checking entries from /etc/passwd.

--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. 

--WARN-- [pass016w] User distccd has / as home directory 

--WARN-- [pass015w] Login ID info does not have a valid shell (/bin/none). 

--WARN-- [pass015w] Login ID intricateone does not have a valid shell 

        (/bin/none). 

--WARN-- [pass015w] Login ID lee44 does not have a valid shell (/bin/none). 

--WARN-- [pass014w] Login (list) is disabled, but has a valid shell. 

--WARN-- [pass015w] Login ID nath18 does not have a valid shell (/bin/none). 

--WARN-- [pass015w] Login ID rick51 does not have a valid shell (/bin/none). 

--WARN-- [pass015w] Login ID tak does not have a valid shell (/bin/none). 

--WARN-- [pass015w] Login ID tut96 does not have a valid shell (/bin/none). 

--WARN-- [pass015w] Login ID walton60 does not have a valid shell (/bin/none). 

--WARN-- [pass001w] Username `anniversary' exists multiple times (2) in 

        /etc/passwd. 

--WARN-- [pass002w] UID 741 exists multiple times (2) in /etc/passwd. 

--WARN-- [pass012w] Home directory /home/anniversary exists multiple times (2) 

        in /etc/passwd. 

--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck 

        -r). 



# Performing check of group files...



# Performing check of user accounts...

# Checking accounts from /etc/passwd.

--WARN-- [acc019w] Login ID ben may be missing a shell initialization file 

        /home/ben/.bashrc. 

--WARN-- [acc008w] Login ID coach's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID coach's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc008w] Login ID david's .bashrc config file has group `501' write 

        access. 

--WARN-- [acc008w] Login ID david's .bash_profile config file has group `501' 

        write access. 

--WARN-- [acc008w] Login ID dennis's .bashrc config file has group `500' write 

        access. 

--WARN-- [acc008w] Login ID dennis's .bash_profile config file has group `500' 

        write access. 

--WARN-- [acc008w] Login ID info's .bashrc config file has group `users' write 

        access. 

--WARN-- [acc008w] Login ID info's .bash_profile config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID intricateone's .bashrc config file has group 

        `users' write access. 

--WARN-- [acc008w] Login ID intricateone's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc008w] Login ID jj's .bashrc config file has group `502' write 

        access. 

--WARN-- [acc008w] Login ID jj's .bash_profile config file has group `502' 

        write access. 

--WARN-- [acc008w] Login ID lee44's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID lee44's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc008w] Login ID nath18's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID nath18's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc006w] Login ID neill's home directory (/home/neill) has group 

        `users' write access. 

--WARN-- [acc021w] Login ID neill appears to be a dormant account. 

--WARN-- [acc008w] Login ID neill's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID neill's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not 

        accessible. 

--WARN-- [acc008w] Login ID rick51's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID rick51's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc019w] Login ID rwebster may be missing a shell initialization 

        file /home/rwebster/.bashrc. 

--WARN-- [acc008w] Login ID sam's .bashrc config file has group `users' write 

        access. 

--WARN-- [acc008w] Login ID sam's .bash_profile config file has group `users' 

        write access. 

--WARN-- [acc021w] Login ID sshd appears to be a dormant account. 

--WARN-- [acc008w] Login ID tak's .bashrc config file has group `users' write 

        access. 

--WARN-- [acc008w] Login ID tak's .bash_profile config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID tut96's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID tut96's .bash_profile config file has group 

        `users' write access. 

--WARN-- [acc008w] Login ID walton60's .bashrc config file has group `users' 

        write access. 

--WARN-- [acc008w] Login ID walton60's .bash_profile config file has group 

        `users' write access. 



# Performing check of /etc/hosts.equiv and .rhosts files...



# Checking accounts from /etc/passwd...



# Performing check of .netrc files...



# Checking accounts from /etc/passwd...



# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...



# Performing check of PATH components...

--WARN-- [path009w] /etc/csh.login does not setenv an initial setting for 

        PATH. 

# Only checking user 'root'



# Performing check of anonymous FTP...



# Performing checks of mail aliases...

# Checking aliases from /etc/aliases.



# Performing check of `cron' entries...

--WARN-- CRON file `/var/spool/cron/crontabs/david' is owned by david.

--WARN-- [cron001w] cron entry for david does not use full pathname (): 

--WARN-- [cron003] cron entry for david uses `/home/david/bin/backup-keep' 

        which contains `/home/david/bin' which is group `501' writable. 

        /home/david/bin/backup-keep 



--WARN-- [cron004w] Root crontab does not exist 

--WARN-- [cron006w] 

        User root is allowed cron usage. 

--WARN-- [cron006w] 

        User david is allowed cron usage. 



# Performing check of 'inetd'...

# Checking inetd entries from /etc/inetd.conf

--WARN-- [inet099w] '902' is not protected by tcp wrappers. 



# Performing check of services with tcp wrappers...

# Analysing inetd entries from /etc/inetd.conf



# Performing check of 'services' ...

# Checking services from /etc/services.

--WARN-- [inet003w] The port for service postgres is also assigned to service 

        postgresql. 

--WARN-- [inet003w] The port for service postgres is also assigned to service 

        postgresql. 

--WARN-- [inet003w] The port for service sane is also assigned to service 

        sane-port. 



# Performing NFS exports check...



# Performing check of system file permissions...



# Performing signature check of system binaries...

--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x) 

        matched the /bin/bash on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/login (-rwsr-xr-x) 

        matched the /bin/login on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x) 

        matched the /bin/ls on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/mount (-rwxr-xr-x) 

        matched the /bin/mount on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) 

        matched the /bin/netstat on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/ping (-rwxr-xr-x) 

        matched the /bin/ping on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/ps (-rwxr-xr-x) 

        matched the /bin/ps on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/su (-rwsr-xr-x) 

        matched the /bin/su on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/tcsh (-rwxr-xr-x) 

        matched the /bin/tcsh on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /bin/umount (-rwxr-xr-x) 

        matched the /bin/umount on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /sbin/portmap 

        (-rwxr-x---) matched the /sbin/portmap on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/at (-rwxr-xr-x) 

        matched the /usr/bin/at on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/chage 

        (-rwxr-sr-x) matched the /usr/bin/chage on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/chfn 

        (-rwsr-xr-x) matched the /usr/bin/chfn on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/chsh 

        (-rwsr-xr-x) matched the /usr/bin/chsh on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/crontab 

        (-rwxr-sr-x) matched the /usr/bin/crontab on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/gpasswd 

        (-rwsr-x---) matched the /usr/bin/gpasswd on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/lockfile 

        (-rwxr-sr-x) matched the /usr/bin/lockfile on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/lpq (-rwxr-xr-x) 

        matched the /usr/bin/lpq on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/lpr (-rwsr-xr-x) 

        matched the /usr/bin/lpr on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/lprm 

        (-rwxr-xr-x) matched the /usr/bin/lprm on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/mutt 

        (-rwxr-xr-x) matched the /usr/bin/mutt on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/newgrp 

        (-rwsr-xr-x) matched the /usr/bin/newgrp on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/passwd 

        (-rwsr-xr-x) matched the /usr/bin/passwd on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/procmail 

        (-rwsr-sr-x) matched the /usr/bin/procmail on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/screen 

        (-rwxr-sr-x) matched the /usr/bin/screen on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/ssh (-rwxr-xr-x) 

        matched the /usr/bin/ssh on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/traceroute 

        (lrwxrwxrwx) matched the /usr/bin/traceroute on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/wall 

        (-rwxr-sr-x) matched the /usr/bin/wall on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/bin/write 

        (lrwxrwxrwx) matched the /usr/bin/write on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/sbin/inetd 

        (-rwxr-x---) matched the /usr/sbin/inetd on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/sbin/lpc 

        (-rwxr-s---) matched the /usr/sbin/lpc on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/sbin/rpc.mountd 

        (-rwxr-x---) matched the /usr/sbin/rpc.mountd on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/sbin/sshd 

        (-rwxr-xr-x) matched the /usr/sbin/sshd on this machine. 

        >>>>>> Linux 2.4.17 

        

--WARN-- [sig004w] None of the following versions of /usr/sbin/tcpd 

        (-rwxr-x---) matched the /usr/sbin/tcpd on this machine. 

        >>>>>> Linux 2.4.17 

        



# Checking for known intrusion signs...

# Testing for promiscuous interfaces with /sbin/ifconfig

# Testing for backdoors in inetd.conf



# Performing check of files in system mail spool...

--WARN-- [kis008w] File "BOGUS.info.0vlB" in the mail spool, owned by "root". 

--WARN-- [kis008w] File "BOGUS.jacqueline.FrE" in the mail spool, owned by 

        "postfix". 

--WARN-- [kis008w] File "BOGUS.nath18.QrE" in the mail spool, owned by 

        "postfix". 

--WARN-- [kis008w] File "BOGUS.tut96.crE" in the mail spool, owned by 

        "postfix". 

--WARN-- [kis008w] File "anniversary" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "apache" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "biz" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "brock83" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "bryan" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "coach" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "david.orig" in the mail spool, owned by "david". 

--WARN-- [kis008w] File "dbnfl" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "dennis" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "desktop" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "intricateone" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "mail.spool.tar.bz2" in the mail spool, owned by 

        "root". 

--WARN-- [kis008w] File "metadot" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "mikesea" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "misspurple" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "neill" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "old" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "pic" in the mail spool, owned by "mrx". 

--WARN-- [kis008w] File "proc.log" in the mail spool, owned by "root". 

--WARN-- [kis008w] File "rick" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "rick51" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "server" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "surveys" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "totalsuccess" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "vcook" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "walton60" in the mail spool, owned by "postfix". 

--WARN-- [kis008w] File "wapcaplet" in the mail spool, owned by "postfix". 



# Performing check for rookits...

# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...



# Performing system specific checks...

# Performing checks for Linux/2...



# Checking for single user-mode password...



# Checking boot loader file permissions...

--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group 

        permissions. Should be 0600 

--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world 

        permissions. Should be 0600 

--WARN-- [boot06] The Grub bootloader does not have a password configured. 



# Checking for vulnerabilities in inittab configuration...



# Checking for correct umask settings for init scripts...

--FAIL-- [misc017f] The umask setting in /etc/csh.login for the init scripts 

        is insecure 

--FAIL-- [misc017f] The umask setting in /etc/profile for the init scripts is 

        insecure 



# Checking Logins not used on the system ...



# Checking network configuration

--FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts 

--WARN-- [lin012w] The system accepts ICMP redirection messages 

--FAIL-- [lin013f] The system is not protected against Syn flooding attacks 

--FAIL-- [lin016f] The system permits source routing from incoming packets 

--WARN-- [lin017w] The system is not configured to log suspicious (martian) 

        packets 

--FAIL-- [lin019f] The system does not have any local firewall rules 

        configured

Code:



# Verifying system specific password checks...

--WARN-- [pass19w] Login ID root does not have password aging enabled. 

--WARN-- [pass19w] Login ID bin does not have password aging enabled. 

--WARN-- [pass19w] Login ID anniversary does not have password aging enabled. 

--WARN-- [pass19w] Login ID ben does not have password aging enabled. 

--WARN-- [pass19w] Login ID biz does not have password aging enabled. 

--WARN-- [pass19w] Login ID coach does not have password aging enabled. 

--WARN-- [pass19w] Login ID david does not have password aging enabled. 

--WARN-- [pass19w] Login ID dennis does not have password aging enabled. 

--WARN-- [pass19w] Login ID info does not have password aging enabled. 

--WARN-- [pass19w] Login ID intricateone does not have password aging enabled. 

--WARN-- [pass19w] Login ID jacqueline does not have password aging enabled. 

--WARN-- [pass19w] Login ID jacwar does not have password aging enabled. 

--WARN-- [pass19w] Login ID jj does not have password aging enabled. 

--WARN-- [pass19w] Login ID jobs does not have password aging enabled. 

--WARN-- [pass19w] Login ID jw does not have password aging enabled. 

--WARN-- [pass19w] Login ID lee44 does not have password aging enabled. 

--WARN-- [pass19w] Login ID marie does not have password aging enabled. 

--WARN-- [pass19w] Login ID mrx does not have password aging enabled. 

--WARN-- [pass19w] Login ID nath18 does not have password aging enabled. 

--WARN-- [pass19w] Login ID rick51 does not have password aging enabled. 

--WARN-- [pass19w] Login ID robyn does not have password aging enabled. 

--WARN-- [pass19w] Login ID rwebster does not have password aging enabled. 

--WARN-- [pass19w] Login ID sam does not have password aging enabled. 

--WARN-- [pass19w] Login ID spamd does not have password aging enabled. 

--WARN-- [pass19w] Login ID steve21 does not have password aging enabled. 

--WARN-- [pass19w] Login ID tak does not have password aging enabled. 

--WARN-- [pass19w] Login ID te22 does not have password aging enabled. 

--WARN-- [pass19w] Login ID test does not have password aging enabled. 

--WARN-- [pass19w] Login ID totalsuccess does not have password aging enabled. 

--WARN-- [pass19w] Login ID tut96 does not have password aging enabled. 

--WARN-- [pass19w] Login ID walton60 does not have password aging enabled. 

--WARN-- [pass19w] Login ID neill does not have password aging enabled. 



# Checking OS release...



# Checking installed packages vs Debian Security Advisories...



# Checking md5sums of installed files

--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/mirrors.dat' checksum 

        differs from installed package 'rkhunter'. 

--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/os.dat' checksum 

        differs from installed package 'rkhunter'. 

--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/programs_good.dat' 

        checksum differs from installed package 'rkhunter'. 

--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/defaulthashes.dat' 

        checksum differs from installed package 'rkhunter'. 



# Checking installed files against packages...

--WARN-- [lin001w] File 

        `/lib/modules/2.6.8-3-686/kernel/drivers/net/F5D5005.ko' does not 

        belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.8-3-686/misc/vmmon.o' does not 

        belong to any package. 

--WARN-- [lin001w] File `/lib/modules/2.6.8-3-686/misc/vmnet.o' does not 

        belong to any package. 

--WARN-- [lin001w] File `/usr/sbin/vmware-authd' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/sbin/vmware-serverd' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/nosetests' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmware-uninstall.pl' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmnet-bridge' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmnet-sniffer' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmnet-netifup' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmnet-dhcpd' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmware-loop' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmware' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmrun' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmware-mount.pl' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmware-config.pl' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmware-vdiskmanager' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vmware-ping' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmnet-natd' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmware-cmd' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/vmware-authtrusted' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/vm-support' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/paster' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/cheetah-compile' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/cheetah' does not belong to any package. 

--WARN-- [lin001w] File `/usr/bin/easy_install' does not belong to any 

        package. 

--WARN-- [lin001w] File `/usr/bin/easy_install-2.3' does not belong to any 

        package. 



# Performing check of root directory...



# Checking device permissions...

--WARN-- [dev003w] The directory /dev/80gig resides in a device directory. 

--WARN-- [dev003w] The directory /dev/i2o resides in a device directory. 

--FAIL-- [dev002f] /dev/log has world permissions 

--WARN-- [dev003w] The directory /dev/mainsystem resides in a device 

        directory. 



# Checking for existence of log files...

--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 



# Checking for correct umask settings...



# Checking listening processes 

--WARN-- [lin002i] The process `apcupsd' is listening on socket 3551 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on 

        every interface. 

--WARN-- [lin003w] The process `dnsmasq' is listening on socket 53 (TCP on 

        every interface) is run by nobody. 

--WARN-- [lin003w] The process `dnsmasq' is listening on socket 32768 (UDP on 

        every interface) is run by nobody. 

--WARN-- [lin003w] The process `dnsmasq' is listening on socket 53 (UDP on 

        every interface) is run by nobody. 

--WARN-- [lin003w] The process `dnsmasq' is listening on socket 67 (UDP on 

        every interface) is run by nobody. 

--WARN-- [lin002i] The process `dovecot' is listening on socket 143 (TCP) on 

        every interface. 

--WARN-- [lin003w] The process `gkrellmd' is listening on socket 19150 (TCP on 

        every interface) is run by gkrellmd. 

--WARN-- [lin003w] The process `imap-login' is listening on socket 143 (TCP on 

        every interface) is run by dovecot. 

--WARN-- [lin002i] The process `inetd' is listening on socket 113 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `inetd' is listening on socket 902 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `master' is listening on socket 25 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `miniserv.pl' is listening on socket 10000 

        (TCP) on every interface. 

--WARN-- [lin002i] The process `miniserv.pl' is listening on socket 10000 

        (UDP) on every interface. 

--WARN-- [lin002i] The process `munin-node' is listening on socket 4949 (TCP) 

        on every interface. 

--WARN-- [lin003w] The process `mysqld' is listening on socket 3306 (TCP on 

        loopback interface) is run by mysql. 

--WARN-- [lin002i] The process `nmbd' is listening on socket 137 (UDP) on 

        every interface. 

--WARN-- [lin002i] The process `nmbd' is listening on socket 138 (UDP) on 

        every interface. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on 

        every interface) is run by daemon. 

--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on 

        every interface) is run by daemon. 

--WARN-- [lin003w] The process `privoxy' is listening on socket 8118 (TCP on 

        loopback interface) is run by privoxy. 

--WARN-- [lin002i] The process `rpc.mountd' is listening on socket 682 (TCP) 

        on every interface. 

--WARN-- [lin002i] The process `rpc.mountd' is listening on socket 679 (UDP) 

        on every interface. 

--WARN-- [lin002i] The process `rpc.statd' is listening on socket 939 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `rpc.statd' is listening on socket 933 (UDP) on 

        every interface. 

--WARN-- [lin002i] The process `rpc.statd' is listening on socket 936 (UDP) on 

        every interface. 

--WARN-- [lin002i] The process `slapd' is listening on socket 389 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `smbd' is listening on socket 139 (TCP) on 

        every interface. 

--WARN-- [lin002i] The process `smbd' is listening on socket 445 (TCP) on 

        every interface. 

--WARN-- [lin003w] The process `sshd' is listening on socket 6010 (TCP on 

        loopback interface) is run by david. 

--WARN-- [lin003w] The process `sshd' is listening on socket 6011 (TCP on 

        loopback interface) is run by david. 



# Checking sshd_config configuration files...



# Checking printer configuration files...

--ERROR-- [init006e] `/etc/printcap' does not exist (file src).

--ERROR-- [init006e] `/etc/printcap' does not exist (file infile).



# Performing common access checks for root...

--FAIL-- [netw020f] There is no /etc/ftpusers file. 



# Checking ntpd configuration...



# Checking unusual file names...

--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index' found: 

-rwxrwxr-x  1 david 501 493 Jan  8 00:22 /home/david/Mail/.Equip 2003.index

--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index.ids' found: 

-rwxrwxr-x  1 david 501 41 Jan  8 00:22 /home/david/Mail/.Equip 2003.index.ids

--ALERT-- [fsys005a] Unusual filename `.Oz Team.index' found: 

-rwxrwxr-x  1 david 501 13139 Jan  8 00:22 /home/david/Mail/.Oz Team.index

--ALERT-- [fsys005a] Unusual filename `.Oz Team.index.ids' found: 

-rwxrwxr-x  1 david 501 153 Jan  8 00:22 /home/david/Mail/.Oz Team.index.ids

--ALERT-- [fsys005a] Unusual filename `.Sent Items.index' found: 

-rwxrwxr-x  1 david 501 277 Jan  8 00:22 /home/david/Mail/.Sent Items.index

--ALERT-- [fsys005a] Unusual filename `.Sent Items.index.ids' found: 

-rwxrwxr-x  1 david 501 37 Jan  8 00:22 /home/david/Mail/.Sent Items.index.ids

--ALERT-- [fsys005a] Unusual filename `.Uni Work.index' found: 

-rwxrwxr-x  1 david 501 1337 Jan  8 00:22 /home/david/Mail/.Uni Work.index

--ALERT-- [fsys005a] Unusual filename `.Uni Work.index.ids' found: 

-rwxrwxr-x  1 david 501 53 Jan  8 00:22 /home/david/Mail/.Uni Work.index.ids

--ALERT-- [fsys005a] Unusual filename `.exe summary.autosave.kwd' found: 

-rwxrwxrwx  1 david 501 9939 Jun  1  2005 /home/david/uni/2005 1st Semester/Account IS/group/.exe summary.autosave.kwd

--ALERT-- [fsys005a] Unusual filename `.marking guidleine.xls.autosave.ksp' 

          found: 

-rwxrwxrwx  1 david 501 15968 Jun  1  2005 /home/david/uni/2005 1st Semester/BISD1/group/.marking guidleine.xls.autosave.ksp

--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index' found: 

-rwxr-xr-x  1 david root 493 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Equip 2003.index

--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index.ids' found: 

-rwxr-xr-x  1 david root 41 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Equip 2003.index.ids

--ALERT-- [fsys005a] Unusual filename `.Oz Team.index' found: 

-rwxr-xr-x  1 david root 13139 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Oz Team.index

--ALERT-- [fsys005a] Unusual filename `.Oz Team.index.ids' found: 

-rwxr-xr-x  1 david root 153 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Oz Team.index.ids

--ALERT-- [fsys005a] Unusual filename `.Sent Items.index' found: 

-rwxr-xr-x  1 david root 277 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Sent Items.index

--ALERT-- [fsys005a] Unusual filename `.Sent Items.index.ids' found: 

-rwxr-xr-x  1 david root 37 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Sent Items.index.ids

--ALERT-- [fsys005a] Unusual filename `.Uni Work.index' found: 

-rwxr-xr-x  1 david root 1337 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Uni Work.index

--ALERT-- [fsys005a] Unusual filename `.Uni Work.index.ids' found: 

-rwxr-xr-x  1 david root 53 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Uni Work.index.ids

--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms1.o.cmd' found: 

-rw-r--r--  1 root root 561 Jan  4 23:53 /root/dev/linux-2.6.19.1/..tmp_kallsyms1.o.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms2.o.cmd' found: 

-rw-r--r--  1 root root 561 Jan  4 23:54 /root/dev/linux-2.6.19.1/..tmp_kallsyms2.o.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux1.cmd' found: 

-rw-r--r--  1 root root 634 Jan  4 23:53 /root/dev/linux-2.6.19.1/..tmp_vmlinux1.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux2.cmd' found: 

-rw-r--r--  1 root root 650 Jan  4 23:53 /root/dev/linux-2.6.19.1/..tmp_vmlinux2.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms1.o.cmd' found: 

-rw-r--r--  1 root root 433 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_kallsyms1.o.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms2.o.cmd' found: 

-rw-r--r--  1 root root 433 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_kallsyms2.o.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux1.cmd' found: 

-rw-r--r--  1 root root 608 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_vmlinux1.cmd

--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux2.cmd' found: 

-rw-r--r--  1 root root 624 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_vmlinux2.cmd





# Looking for unusual device files...



# Checking symbolic links...

--WARN-- [xxxxx] The following files are unowned:

/home/brock83/.bash_logout

/home/brock83/.bash_profile

/home/brock83/.bashrc

/home/brock83/.gimp-1.2

/home/brock83/.gimp-1.2/printrc

/home/brock83/.mailcap

/home/brock83/.screenrc

/home/brock83/tmp

/home/dbnfl/.bash_logout

/home/dbnfl/.bash_profile

/home/dbnfl/.bashrc

/home/dbnfl/.screenrc

/home/dbnfl/tmp

/home/metadot/.bash_history

/home/metadot/.bash_logout

/home/metadot/.bash_profile

/home/metadot/.bashrc

/home/metadot/.screenrc

/home/metadot/tmp

/home/misspurple/.bash_logout

/home/misspurple/.bash_profile

/home/misspurple/.bashrc

/home/misspurple/.gimp-1.2

/home/misspurple/.gimp-1.2/printrc

/home/misspurple/.mailcap

/home/misspurple/.screenrc

/home/misspurple/tmp

/home/neill/.bash_logout

/home/neill/.bash_profile

/home/neill/.bashrc

/home/neill/.screenrc

/home/neill/tmp

/home/surveys/.bash_logout

/home/surveys/.bash_profile

/home/surveys/.bashrc

/home/surveys/.screenrc

/home/surveys/tmp

/home/wapcaplet/.Xauthority

/home/wapcaplet/.bash_history

/home/wapcaplet/.bash_logout

/home/wapcaplet/.bash_profile

/home/wapcaplet/.bashrc

/home/wapcaplet/.screenrc

/home/wapcaplet/.viminfo

/home/wapcaplet/tmp

/varold/www/rc/roundcubemail-0.1beta2/._CHANGELOG

/varold/www/rc/roundcubemail-0.1beta2/.htaccess

/varold/www/rc/roundcubemail-0.1beta2/.htaccess





# Performing check of embedded pathnames...

--WARN-- [embed003w] Path `/var/lib/mailman/bin/list_lists' contains 

        `/var/lib/mailman' which is group `list' writable. 

        Embedded references in: /etc/init.d/mailman

15:56> Security report completed for server.

Obviously lots I can fix there, but anything stand out as a way "in" to my server ?