LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-26-2007, 02:54 PM   #1
entz
Member
 
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453
Blog Entries: 3

Rep: Reputation: 40
Exclamation Personnal Security Concerns about "find"


Greetings ,

about an hour ago the Ram and HDD usage did sharply rise for some unknown reasons.
when i checked Top , I got a process called "find" at the top of the list under Username "nobody"! (I immediately killed that process which resulted in Cpu ram and HDD to return to normal work etc)
this was really strange and freightning as well since I'm the one and only user on my laptop and I'm running root , so the questions is , who did run find on this mysterious account called nobody??
I'm afraid that someone hacked my computer or something is this possible or is it just a false alarm?
(btw my kernel version is 2.6.16.21-0.25 on Suse 10,1 )

Thanks in advance
 
Old 03-26-2007, 03:05 PM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405
Hi,

This is probably a false alarm.

It's probably updatedb that was running (automatically by crontab). This is set up automatically by suse (at least up to version 8, that's when I switched). I'm not sure where it's put nowadays (/etc/cron.daily is where it used to be).

Hope this helps.
 
Old 03-26-2007, 03:31 PM   #3
entz
Member
 
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453

Original Poster
Blog Entries: 3

Rep: Reputation: 40
Quote:
Originally Posted by druuna
Hi,
This is probably a false alarm.
Well I hope so , there is the script you mentioned in etc/cron.dialy but I dunnu if this is related in any way to that "find" incident ...
anyways , I was wondering from the start why so many daemons and whatnot are running and most of them listening and/or opening sockets while they are swallowing tremendous amounts of memory for apparently nothing!

to a different question , How is Suse rated in general against other major distros ? is it considered user-friendly or complicated , laggy or swift , consuming much resources / or litlle ?
 
Old 03-26-2007, 03:55 PM   #4
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405Reputation: 2405
Hi,

Most (if not all) that is running is there to actually do something important or something helpful (the latter being a bit of a personal issue/taste).

Suse gives you the possibility to switch certain things on or off. But if you do not know what a certain service does, don't tinker with it before you know what the consequences are.

After using Suse for a few years I switched because I wanted more control (on a more basic level). I personally grade Suse somewhere in the middle. Not for the beginner and not for the control freak.

I don't have any experience with Suse 9/10, so I cannot comment on any speed/resource issues.

Maybe you can take a look here (distrowatch) and get an idea of the distro's out there and what they can/cannot do. Here's the suse specific link.
 
Old 03-27-2007, 12:14 AM   #5
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
Well I suppose updatedb could call find, mine does not though, I use slocate which is aliased to locate. Could be a version thing mine is 2.7 secure locate.

I would investigate further. Run updatedb yourself from a root account and then go watch top for a bit, if find pops up then yes that is the most likely reason, if not then you are back to worrying about being compromised.

Of course next thing to do is look at the cron scripts.

I would say SuSE is a good starter distro, when you get more comfortable then you will start to find the extra layers it gives can be restrictive, it is not that you cannot do anything you like, it is just that you are doing it all the SuSE way. Depends what you want from your computer system though.
 
Old 03-27-2007, 12:32 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
It was the cron job running updatedb to update the database that locate uses. You should not be running as root normally.

The nobody user only has access to directories with global read access. This is to prevent the updatedb database from indexing your personal files. There is an empty file in /var/spool/cron/cron.daily, whose timestamp probably indicated that your computer was off when the crondaily script normally runs, so it ran then.

Anyway, this sounds normal and doesn't indicate a security problem.
 
Old 03-27-2007, 01:17 AM   #7
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
Yes, good point about not being root as I use slocate really, I have to be root to updatedb. But in the OP's case try running updatedb as a normal user first, well it will index your files that way. So, make a new user which is only in its own group, then updatedb

I can only imagine if this is normal that SuSE uses locate non secure and secures it using this find method that does not give you a full locate database.

Secure locate knows about my files in /root, but if a user asks to locate a file that happens to be in /root only, it will not report back that file.

slocate is a sgid file though, so there are arguments for and against slocate.

Last edited by Zention; 03-27-2007 at 01:24 AM.
 
Old 03-27-2007, 06:19 AM   #8
entz
Member
 
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453

Original Poster
Blog Entries: 3

Rep: Reputation: 40
Quote:
Originally Posted by Zention
I would investigate further. Run updatedb yourself from a root account and then go watch top for a bit, if find pops up then yes that is the most likely reason, if not then you are back to worrying about being compromised.
Thanks a whole lot Zention !
I just tried what you told me , and when I ran top while updatedb is in the background , this find popped up again and HDD usage had risen like the same way it had the last time...
Actually a stone fell from my chest after I've known that this was totally harmeless probably I'm too paranoid , *huuw*

about me asking , why so much daemons are there is because when I run netstat without any arguments
I get dozens of lines indicating that some proccesses are openning sockets and a "connected" label appears right next to them , but when I ran netstat -atpu (or a similiar arg combination) then I get the "real" sockets and their status etc

another thing that added to the confusion is the fact that the disk cache (thought I'm not clearly getting what the purpose of it is) is counted as used space while apparently it denotes "free memory"

finally , thanks to everybody who replied !
 
Old 03-27-2007, 09:59 AM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I read the part of the original message about running as root, and wasn't referring to using "sudo updatedb". You run updatedb as root unless you set it up to index your personal home directory files, but I doubt that is the case. Actually, updatedb is normally run daily and you only run it manually after first installing, or after updating a package, if you want to locate something in the package. ( But on SuSE, rpm -ql will give you the same info. )

I don't even have the slocate package, and it may be that slocate is called locate. There is an option (the default) to run updatedb as the nobody user so personal files aren't indexed in the first place.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Shell Script: Find "Word" Run "Command" granatica Linux - Software 5 07-25-2007 07:42 AM
LXer: DistroWatch Weekly: Mandriva's financial concerns, Fedora 7 Test1, Freespire "madness" LXer Syndicated Linux News 1 02-05-2007 04:47 AM
LXer: New Linux Website Dedicated to "Bringing together developers and users concerns" Opens LXer Syndicated Linux News 0 01-13-2006 06:46 AM
where can i find the paper "efficient dispersal of information for security.. " xzfxzf Programming 2 12-12-2005 03:59 AM
Can't install "glibmm" library. "configure" script can't find "sigc++-2.0&q kornerr Linux - General 4 05-10-2005 02:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration