"Outbound" messages and checksecurity.log setuid changes
 

I am using ubuntu 10.04 on an iMac 7.1. What do the following log entries mean? I recently had a "sbin/init infected" alarm with chkrootkit (or rkhunter, I forget which) and reinstalled, and I thought I was rid of the problem, whatever it was (could have been a kernel panic), but now the checksecurity setuid stuff reappeared (the checksecurity.log only appears in the log file viewer after resetting it with gconftool-2 --recursive-unset /apps/gnome-system-log, which seems suspicious; why is the log hidden by default?); also there are "outbound" messages that I don't understand. I have another ubuntu install on another Mac which seems to be unaffected (and also has checksecurity installed; I just ran it manually and also got setuid stuff, but there is no "outbound" and ufw.log is empty). I can't really think I have a rootkit (I don't notice any effects except these anomalous logfiles, and my browsing habits don't include sleazy websites). And what exactly are bound sockets? There is a lot of information about sockets on the net but it's all rather technical. I continue to look of course. I ran chkrootkit and rkhunter again, and they read clean (if I can trust them).

Is it possible that the trouble is related to the Mac's BIOS emulation? (Apple does not seem to take security very seriously; Snow Leopard does not even ask for a password for Software Update - I asked my premium reseller and he confirmed it. I should not be surprised to find out that the iMac's BIOS emulation is unsafe. I'll need to get a real computer). The MacBook Pro 5.1 has a newer firmware (for instance, it will boot ubuntu from external disks which the iMac will not), and as I said that install seems to be unaffected (The setuid stuff is probably normal, but I'm not sure the "outbound" messages are). I use grub legacy, which seems to install to the Mac's EFI partition as /dev/sda (GParted shows 18.1 MB of 200MB used on both computers with ubuntu on them, whereas an HFS+ disk without ubuntu, or with GRUB in a partition, will show 3.09 MB used).

Does it make sense to reconfigure checksecurity to check for setuid changes daily (change CHECK_WEEKLY="SETUID" in /etc/checksecurity.conf to CHECK_DAILY="SETUID")?



checksecurity.log:

ubuntu changes to TCP/UDP bound sockets:
--- sockets.today 2010-08-10 09:24:09.018519794 +0200
+++ /var/log/checksecurity/sockets.new.tmp 2010-08-10 09:24:09.098526610 +0
200
@@ -0,0 +1,7 @@
+
+The following programs have got bound sockets:
+avahi-dae avahi 0t0 UDP *:38185
+avahi-dae avahi 0t0 UDP *:5353
+cupsd root 0t0 TCP 127.0.0.1:631 (LISTEN)
+cupsd root 0t0 TCP [::1]:631 (LISTEN)
+master root 0t0 TCP 127.0.0.1:25 (LISTEN)
ubuntu changes to setuid programs and devices:
--- setuid.today 2010-08-10 09:27:56.654518852 +0200
+++ /var/log/setuid/setuid.new.tmp 2010-08-10 09:27:56.650519391 +0200
@@ -0,0 +1,58 @@
+ 524742 4755 1 root root 26240 Wed Jan 27 01:26:26.0000000000 2010 ./bin/fusermount
+ 524763 4755 1 root root 72188 Mon Mar 22 18:51:03.0000000000 2010 ./bin/mount
+ 524775 4755 1 root root 34756 Fri Mar 12 00:12:17.0000000000 2010 ./bin/ping
+ 524776 4755 1 root root 26456 Fri Mar 12 00:12:17.0000000000 2010 ./bin/ping6
+ 524789 4755 1 root root 31100 Tue Jan 26 18:09:45.0000000000 2010 ./bin/su
+ 524797 4755 1 root root 51208 Mon Mar 22 18:51:03.0000000000 2010 ./bin/umount
+ 393658 4754 1 root messagebus 42492 Tue Mar 30 17:07:30.0000000000 2010 ./lib/dbus-1.0/dbus-daemon-launch-helper
+ 529765 600 1 root root 0 Thu Apr 29 14:18:33.0000000000 2010 ./lib/udev/devices/console
+ 529768 600 1 root root 0 Thu Apr 29 14:18:33.0000000000 2010 ./lib/udev/devices/loop0
+ 529778 600 1 root root 0 Thu Apr 29 14:18:33.0000000000 2010 ./lib/udev/devices/net/tun
+ 529769 600 1 root root 0 Thu Apr 29 14:18:33.0000000000 2010 ./lib/udev/devices/null
+ 529770 600 1 root root 0 Thu Apr 29 14:18:33.0000000000 2010 ./lib/udev/devices/ppp
+ 274 2755 1 root shadow 30344 Wed Jul 7 22:13:12.0000000000 2010 ./sbin/unix_chkpwd
+ 290 6755 1 root root 9664 Fri Apr 9 01:53:51.0000000000 2010 ./usr/bin/X
+ 362 4755 1 root root 13820 Fri Mar 12 00:12:17.0000000000 2010 ./usr/bin/arping
+ 369 6755 1 daemon daemon 42812 Fri Mar 5 03:35:06.0000000000 2010 ./usr/bin/at
+ 414 2755 1 root tty 9708 Tue Nov 10 17:12:57.0000000000 2009 ./usr/bin/bsd-write
+ 443 2755 1 root shadow 53428 Tue Jan 26 18:09:43.0000000000 2010 ./usr/bin/chage
+ 450 4755 1 root root 36180 Tue Jan 26 18:09:43.0000000000 2010 ./usr/bin/chfn
+ 453 4755 1 root root 31700 Tue Jan 26 18:09:43.0000000000 2010 ./usr/bin/chsh
+ 495 2755 1 root crontab 31656 Thu Apr 15 01:29:01.0000000000 2010 ./usr/bin/crontab
+ 628 2755 1 root mail 13924 Thu Jan 14 17:51:09.0000000000 2010 ./usr/bin/dotlockfile
+ 696 2755 1 root shadow 18104 Tue Jan 26 18:09:43.0000000000 2010 ./usr/bin/expiry
+ 726 4755 1 root root 11214 Fri Jan 29 01:42:21.0000000000 2010 ./usr/bin/fileshareset
+ 766 4755 1 root root 26356 Tue Feb 2 08:57:46.0000000000 2010 ./usr/bin/fping
+ 767 4755 1 root root 26388 Tue Feb 2 08:57:46.0000000000 2010 ./usr/bin/fping6
+ 1053 4755 1 root root 53812 Tue Jan 26 18:09:43.0000000000 2010 ./usr/bin/gpasswd
+ 1265 4755 1 root root 9644 Fri Jan 29 02:17:54.0000000000 2010 ./usr/bin/kgrantpty
+ 1286 4755 1 root root 9676 Fri Jan 29 02:17:54.0000000000 2010 ./usr/bin/kpac_dhcp_helper
+ 1364 4755 1 root lpadmin 13540 Fri Jun 18 17:08:57.0000000000 2010 ./usr/bin/lppasswd
+ 1392 2755 3 root mail 9760 Thu Jan 14 17:51:59.0000000000 2010 ./usr/bin/mail-lock
+ 1392 2755 3 root mail 9760 Thu Jan 14 17:51:59.0000000000 2010 ./usr/bin/mail-touchlock
+ 1392 2755 3 root mail 9760 Thu Jan 14 17:51:59.0000000000 2010 ./usr/bin/mail-unlock
+ 1441 2755 1 root mlocate 30316 Wed Mar 24 11:16:37.0000000000 2010 ./usr/bin/mlocate
+ 1456 4755 1 root root 52092 Sun Mar 7 04:17:05.0000000000 2010 ./usr/bin/mtr
+ 1483 4755 1 root root 26784 Tue Jan 26 18:09:45.0000000000 2010 ./usr/bin/newgrp
+ 1556 4755 1 root root 37140 Tue Jan 26 18:09:43.0000000000 2010 ./usr/bin/passwd
+ 1652 4755 1 root root 18048 Fri Apr 9 14:35:30.0000000000 2010 ./usr/bin/pkexec
+ 1901 2755 1 root utmp 340604 Tue Nov 10 19:06:08.0000000000 2009 ./usr/bin/screen
+ 1989 2755 1 root ssh 79240 Wed May 19 18:31:59.0000000000 2010 ./usr/bin/ssh-agent
+ 1997 4755 1 root root 9672 Fri Jan 29 02:17:54.0000000000 2010 ./usr/bin/start_kdeinit
+ 2006 4755 2 root root 127664 Fri Jun 18 22:40:15.0000000000 2010 ./usr/bin/sudo
+ 2006 4755 2 root root 127664 Fri Jun 18 22:40:15.0000000000 2010 ./usr/bin/sudoedit
+ 2080 4755 1 root root 13952 Fri Mar 12 00:12:17.0000000000 2010 ./usr/bin/traceroute6.iputils
+ 2145 2755 1 root tty 13864 Mon Mar 22 18:51:03.0000000000 2010 ./usr/bin/wall
+ 2251 2755 1 root utmp 354444 Wed Mar 31 11:47:31.0000000000 2010 ./usr/bin/xterm
+ 6978 4755 1 root root 5548 Tue Nov 10 01:20:49.0000000000 2009 ./usr/lib/eject/dmcrypt-get-device
+ 7798 2755 1 root mail 9720 Fri Jun 25 12:51:35.0000000000 2010 ./usr/lib/evolution/camel-lock-helper-1.2
+ 10732 4755 1 root root 11019 Sat Nov 21 10:45:13.0000000000 2009 ./usr/lib/kde4/libexec/fileshareset
+ 10744 2755 1 root nogroup 46944 Sun May 9 12:32:13.0000000000 2010 ./usr/lib/kde4/libexec/kdesud
+ 10843 2755 1 root utmp 13980 Wed Jul 14 21:56:15.0000000000 2010 ./usr/lib/libvte9/gnome-pty-helper
+ 10940 4755 1 root root 182464 Wed May 19 18:31:59.0000000000 2010 ./usr/lib/openssh/ssh-keysign
+ 10993 4755 1 root root 9720 Fri Apr 9 14:35:30.0000000000 2010 ./usr/lib/policykit-1/polkit-agent-helper-1
+ 5542 4755 1 root root 9676 Mon Jun 14 16:35:58.0000000000 2010 ./usr/lib/pt_chown
+ 12678 2555 1 root postdrop 13680 Thu Feb 18 07:38:27.0000000000 2010 ./usr/sbin/postdrop
+ 12687 2555 1 root postdrop 13664 Thu Feb 18 07:38:27.0000000000 2010 ./usr/sbin/postqueue
+ 12690 4754 1 root dip 273312 Sun Mar 7 04:59:53.0000000000 2010 ./usr/sbin/pppd
+ 12782 6755 1 libuuid libuuid 13848 Mon Mar 22 18:51:03.0000000000 2010 ./usr/sbin/uuidd
ubuntu changes to TCP/UDP bound sockets:
--- sockets.today 2010-08-10 09:24:09.098526610 +0200
+++ /var/log/checksecurity/sockets.new.tmp 2010-08-11 11:16:32.027556448 +0200
@@ -3,2 +2,0 @@
-avahi-dae avahi 0t0 UDP *:38185
-avahi-dae avahi 0t0 UDP *:5353
@@ -6,0 +5 @@
+dhclient root 5w IPv4 10646 0t0 UDP *:68



messages (part):

Aug 2 00:46:12 ubuntu kernel: [ 2499.597855] sky2 eth1: Link is up at 100 Mbps, full duplex, flow control rx
Aug 2 00:46:30 ubuntu kernel: [ 2518.004237] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=91.189.94.4 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Aug 2 00:46:31 ubuntu kernel: [ 2519.004242] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=91.189.94.4 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Aug 2 00:46:32 ubuntu kernel: [ 2520.004241] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=91.189.94.4 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Aug 2 00:46:33 ubuntu kernel: [ 2521.004222] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=91.189.94.4 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Aug 2 00:47:29 ubuntu kernel: [ 2576.651290] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=192.35.244.50 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=16149 DF PROTO=TCP SPT=33773 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 2 00:47:32 ubuntu kernel: [ 2579.648097] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=192.35.244.50 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=16150 DF PROTO=TCP SPT=33773 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 2 00:47:52 ubuntu kernel: [ 2600.445534] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=192.35.244.50 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=22869 DF PROTO=TCP SPT=33774 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 2 00:47:55 ubuntu kernel: [ 2603.444098] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=192.35.244.50 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=22870 DF PROTO=TCP SPT=33774 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 2 00:50:37 ubuntu kernel: [ 2764.864554] sky2 eth1: Link is down.

...

Aug 2 01:18:56 ubuntu kernel: Kernel logging (proc) stopped.

...


# first Outbound message

Aug 2 00:46:30 ubuntu kernel: [ 2518.004237] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=91.189.94.4 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56

# last outbound message

Aug 2 01:01:33 ubuntu kernel: [ 3421.389250] Outbound IN= OUT=eth1 SRC=10.0.0.1 DST=91.189.90.41 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=63697 DF PROTO=TCP SPT=35115 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0



# ufw log after enabling ufw:

...

Aug 7 11:41:06 ubuntu kernel: [ 973.879353] [UFW BLOCK] IN=eth1 OUT= MAC=00:1b:63:9f:5e:72:00:1f:9f:ce:be:12:08:00 SRC=74.125.77.101 DST=10.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=54222 PROTO=TCP SPT=80 DPT=49318 WINDOW=123 RES=0x00 ACK FIN URGP=0

...


#manual run of checksecurity on other Mac:

Checksecurity.log (complete):

ubuntu1 changes to TCP/UDP bound sockets:
--- sockets.today 2010-08-11 11:04:37.403819865 +0200
+++ /var/log/checksecurity/sockets.new.tmp 2010-08-11 11:04:37.466730353 +0200
@@ -0,0 +1,7 @@
+
+The following programs have got bound sockets:
+avahi-dae avahi 0t0 UDP *:39851
+avahi-dae avahi 0t0 UDP *:5353
+cupsd root 0t0 TCP 127.0.0.1:631 (LISTEN)
+cupsd root 0t0 TCP [::1]:631 (LISTEN)
+master root 0t0 TCP 127.0.0.1:25 (LISTEN)

# There also was a lot of terminal output similar to the iMac's which I forgot to save, and when I ran checksecurity again it was blank. (Incidentally, the list of setuid programs on Mac OS is a lot longer)

Re-installing might not have been necessary if it was a false positive. Happens you know.


Setuid root means any unprivileged user will be able to run the command as with root rights. Usually viewed as a weakness in systems for elevating users rights.


Did both machines receive different package updates?


"Bound" here means an application (service) is listening (waiting) on a network socket for clients. For instance your "cupsd" is waiting for clients to queue print jobs. A combination of router safety (not opening service ports to the Internet), application configuration (user and remote access), tcp_wrappers (remote addresses, local service access) and firewall (remote addresses, local port access) should help keep out unwanted access.


They do. It's just they only care for themselves and not for users. Why else would they require you to pay for updates?..


Traffic logged by the firewall that is exiting your machine.


If you keep the software up to date, and if you only run only vital services, and if you restrict service access to the machine to only your LAN, and if you trust other machines on the LAN, and if 'checksecurity' is not the only auditing tool you run then I'd say keep it at the weekly interval.


Usually happens when Syslog gets shut down when you shut down the machine or when syslog gets restarted when logs get rotated (but then it should be followed by a starting line).

Thanks, unSpawn, for your reply. Traffic that is exiting my machine - does that mean routine stuff like add-on update requests from firefox? Then it should be present in the logs of both machines, shouldn't it? You have answered most of my questions but I am still not convinced that the outbound stuff is on the up and up. (Anyway there is none of it after August 2, so my online activity is not under "Outbound"). I'll keep track of what I do and an eye on the logs.

Any traffic will exit your machine be it NTP (the "OUT=eth1 DST=91.189.94.4 PROTO=UDP SPT=123 DPT=123" lines to europium.canonical.com), updates or version checking (the "OUT=eth1 PROTO=TCP DPT=80" lines to gd.tuwien.ac.at and jujube.canonical.com). The relevance of reporting lines depends on reasonable firewall rules. The only blocking rule was the "[UFW BLOCK] IN=eth1 from ew-in-f101.1e100.net" line means tearing down (ACK FIN) the connection between you and Google. For unknown reasons Netfilter didn't see that as part of an established connection. Looking at "3.5. Closing a Connection" of RFC 793 it isn't exactly malicious traffic. So I fail to see how your firewall rule set marks that as something to block but then again we don't have your firewall rule set to look at.