Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-10-2005, 08:05 PM
|
#1
|
Member
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63
Rep:
|
Compromised? I can't tell.
I've noticed a few possibly strange things, and I wonder if anybody can help me to understand them.
First of all, I never get the failed ssh logins that everybody is talking about here. I mean never. Shouldn't I be seeing a little bit of that? My machine doesn't respond to pings, so maybe they're just not seeing me, but that seems unlikely since s_kiddies are constantly trying to crack apache.
Second, and more worrisome, is that I have both /etc/sshd and /etc/sshd2 (?) The sshd2.conf file seems pretty weak and differs from my carefully constructed file. What's going on here?
Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:
S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check
What does this mean? Looks to me like something important has changed.
Fourth, in my /tmp directory there are a bunch of subdirectories like
ssh-M0(JFG)#K, many of which appear to be months old. Should these be there??? As far as I know, nobody has ever made an ssh connection to my machine.
Fifth, netstat is giving me this:
tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT
Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?
Finally, users outputs this:
myusername myusername
Why are there two of me? I use strong passwords of 15 or more very random characters so I'm pretty sure that a brute force attack would be fruitless. It's the finesse attacks that worry me because I don't fully understand them.
There are other things, too. Why are there rc, rc0, rc1... rc6 in the /etc directory? I never noticed this before. I read somewhere that crackers often make copies of things, so could this, along with the two sshd programs be an indication of problems?
Everything seems to be running OK, and I don't have any super-sensitive data on the machine. Should I worry? If I'm just being paranoid, please let me know. I can take it.
Thanks.
|
|
|
02-11-2005, 01:39 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
run this ASAP: http://www.rootkit.nl/
good luck...
Last edited by win32sux; 02-11-2005 at 01:42 AM.
|
|
|
02-11-2005, 08:16 AM
|
#3
|
Member
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63
Original Poster
Rep:
|
Thanks. That program didn't find anything except a few hidden directories under /etc -- /.java /.aumixrc and /.pwd.lock
Should I be worried about any of these? Strangely, when I try to navigate to .pwd.lock, I get a "no such file or directory." What now?
[edit - add]
One thing that does concern me is the rpm -V pam that I ran that showed it had changed, but Rootkit Hunter didn't have anything to say about that. Anyone know what this could mean?
Last edited by Chuck23; 02-11-2005 at 08:23 AM.
|
|
|
02-11-2005, 08:22 AM
|
#4
|
Member
Registered: Jun 2004
Location: Lithuania
Distribution: FreeBSD, Arch, Ubuntu
Posts: 145
Rep:
|
.pwd.lock
In my fresh Arch machine (4 minutes online) I have /etc/.pwd.lock too, so I think you shouldn't worry about this.
|
|
|
02-11-2005, 10:19 AM
|
#5
|
Senior Member
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028
Rep:
|
You can't find any failed ssh tries in the /var/log/messages file?
Are there any signs there of successful atempts?
|
|
|
02-11-2005, 04:35 PM
|
#6
|
Member
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63
Original Poster
Rep:
|
Except for the strange files in /tmp, there are no signs whatsoever of successful remote logins.
|
|
|
02-12-2005, 03:02 AM
|
#7
|
Senior Member
Registered: Jan 2004
Location: Roughly 29.467N / 81.206W
Distribution: OpenBSD, Debian, FreeBSD
Posts: 1,450
Rep:
|
rc[0-6]
DO NOT change these unless you know what you are doing. This is part of the bootup system of linux. Each one corresponds to the scripts that are run at each of the runlevels specified by their number. This is not to say they haven't been modified by someone but their existence is essential.
In my opinion, you are being a little paranoid -- which can be a good thing. I'm not sure what generated the temp files but they don't seem like a large concern to me (at the very least a cracker this competent would have made them hidden).
The reason there are two of you? Probably because you have a xterm window open or whatever. Anyway... it is not odd.
My only suggestion, if you don't use sshd yourself... turn it off.
|
|
|
02-12-2005, 04:01 PM
|
#8
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Third, and of even greater concern, rpm -V pam reveals that some files have been changed. The output is this:
S.5....T c /etc/pam.d/system-auth
S.?..... /lib/security/pam_filter/upperLOWER
S.?..... /sbin/pam_timestamp_check
The RPM md5sums will be different if you've updated your system with security patches. For FC1 there have been a number of updates and therefore a number of files will fail the RPM check. This is entirely normal. I know that pam system-auth was updated, but if you want to be extra-thorough, check the contents and file attributes of upperLOWER and pam_timestamp_check using the strings command. Rootkit hunter likely doesn't complain because it uses md5sums that are constantly being updated with new values when updates are released. Unless you manually update the rpm database, then the original hash values will be retained.
.
Fifth, netstat is giving me this:
tcp 1 0 localhost.localdo:32789 localhost.localdoma:ipp CLOSE_WAIT
Why is localhost.localdomain showing up in the foreign column? Why is ipp showing up in the internet section? Doesn't ipp have something to do with printers?
This is entirely normal as well. IPP stands for "internet printing protocol" and is one of the linux printing daemons. When you print a document, netstat should show one or more connection from localhost to localhost. This is just how IPP works when you prinit a document locally.
|
|
|
02-14-2005, 07:45 AM
|
#9
|
Member
Registered: Jun 2004
Distribution: Fedora Core1
Posts: 63
Original Poster
Rep:
|
Thanks to all.
I kind of thought that pam had been changed during a normal update, but I guess I just needed reassurance. RK Hunter is a great little utility that will be most helpful. sshd will be turned on only when needed. I feel much better now.
But I still see two of me even in RL 3. Strange... but not worth worrying about.
|
|
|
02-14-2005, 11:53 AM
|
#10
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
But I still see two of me even in RL 3.
That's normal. It has to do with the way wtmp logging works. If you run 'who' instead of 'users' it shows which terminal those users are logged into. If you have multiple pseudo-terminals (pts) open you'll see multiple instances of that username. You can prove this to yourself by starting X and running 'users' and 'who' (you should see at least 2 sessions, 1 for the shell, 1 for the X session). Open a xterm and run 'who' and 'users' again, you'll see that another sessions has been added. Also failing to properly log out of a remote shell sessions (like ssh) can leave a pseudoterm open.
|
|
|
02-15-2005, 03:25 AM
|
#11
|
Member
Registered: Feb 2005
Posts: 40
Rep:
|
does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
|
|
|
02-15-2005, 07:33 AM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally posted by rhoyerboat
does X always run as root? it doesnt seem like a very good idea to let an unpriveledged user run a program that assumes root privleges.. i just noticed today with top that X had root priveleges
|
i believe that only the X server is run as root... the X apps are executed as the unprivileged user... take a look at your processes and you should see something like this:
Code:
bash-3.00$ ps aux | grep X11
root 167 0.0 0.4 3196 1112 ? Ss Feb14 0:00 /usr/X11R6/bin/xdm -nodaemon
root 170 1.4 12.6 68504 32324 ? RL Feb14 17:47 /usr/X11R6/bin/X -auth
/usr/X11R6/lib/X11/xdm/authdir/authfiles/A:0-keyqKS
win32sux 182 0.0 0.4 2332 1220 ? S Feb14 0:00 /bin/sh /etc/X11/xinit/xinitrc
as you can see, the xinitrc is executed as the unprivileged user, hence the X apps will be run unprivileged... in my case i'm using the XFCE window manager, for example:
Code:
bash-3.00$ ps aux | grep xf
win32sux 217 0.0 1.8 11376 4684 ? Ss Feb14 0:04 xfce-mcs-manager
win32sux 219 0.0 1.9 9808 4920 ? S Feb14 0:05 xfwm4 --daemon
win32sux 220 0.0 2.2 10112 5744 ? S Feb14 0:07 xftaskbar4
win32sux 221 0.0 1.9 11260 4956 ? S Feb14 0:04 xfdesktop
win32sux 222 0.0 2.0 9976 5336 ? S Feb14 0:01 xfcalendar
win32sux 224 0.0 2.7 11972 6924 ? S Feb14 0:01 /usr/bin/xfce4-panel
Last edited by win32sux; 02-15-2005 at 07:38 AM.
|
|
|
All times are GMT -5. The time now is 10:35 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|