Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-26-2007, 02:54 PM
|
#1
|
Member
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453
Rep:
|
Personnal Security Concerns about "find"
Greetings ,
about an hour ago the Ram and HDD usage did sharply rise for some unknown reasons.
when i checked Top , I got a process called "find" at the top of the list under Username "nobody"! (I immediately killed that process which resulted in Cpu ram and HDD to return to normal work etc)
this was really strange and freightning as well since I'm the one and only user on my laptop and I'm running root , so the questions is , who did run find on this mysterious account called nobody??
I'm afraid that someone hacked my computer or something is this possible or is it just a false alarm?
(btw my kernel version is 2.6.16.21-0.25 on Suse 10,1 )
Thanks in advance
|
|
|
03-26-2007, 03:05 PM
|
#2
|
LQ Veteran
Registered: Sep 2003
Posts: 10,532
|
Hi,
This is probably a false alarm.
It's probably updatedb that was running (automatically by crontab). This is set up automatically by suse (at least up to version 8, that's when I switched). I'm not sure where it's put nowadays (/etc/cron.daily is where it used to be).
Hope this helps.
|
|
|
03-26-2007, 03:31 PM
|
#3
|
Member
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453
Original Poster
Rep:
|
Quote:
Originally Posted by druuna
Hi,
This is probably a false alarm.
|
Well I hope so , there is the script you mentioned in etc/cron.dialy but I dunnu if this is related in any way to that "find" incident ...
anyways , I was wondering from the start why so many daemons and whatnot are running and most of them listening and/or opening sockets while they are swallowing tremendous amounts of memory for apparently nothing!
to a different question , How is Suse rated in general against other major distros ? is it considered user-friendly or complicated , laggy or swift , consuming much resources / or litlle ?
|
|
|
03-26-2007, 03:55 PM
|
#4
|
LQ Veteran
Registered: Sep 2003
Posts: 10,532
|
Hi,
Most (if not all) that is running is there to actually do something important or something helpful (the latter being a bit of a personal issue/taste).
Suse gives you the possibility to switch certain things on or off. But if you do not know what a certain service does, don't tinker with it before you know what the consequences are.
After using Suse for a few years I switched because I wanted more control (on a more basic level). I personally grade Suse somewhere in the middle. Not for the beginner and not for the control freak.
I don't have any experience with Suse 9/10, so I cannot comment on any speed/resource issues.
Maybe you can take a look here (distrowatch) and get an idea of the distro's out there and what they can/cannot do. Here's the suse specific link.
|
|
|
03-27-2007, 12:14 AM
|
#5
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
Well I suppose updatedb could call find, mine does not though, I use slocate which is aliased to locate. Could be a version thing mine is 2.7 secure locate.
I would investigate further. Run updatedb yourself from a root account and then go watch top for a bit, if find pops up then yes that is the most likely reason, if not then you are back to worrying about being compromised.
Of course next thing to do is look at the cron scripts.
I would say SuSE is a good starter distro, when you get more comfortable then you will start to find the extra layers it gives can be restrictive, it is not that you cannot do anything you like, it is just that you are doing it all the SuSE way. Depends what you want from your computer system though.
|
|
|
03-27-2007, 12:32 AM
|
#6
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
It was the cron job running updatedb to update the database that locate uses. You should not be running as root normally.
The nobody user only has access to directories with global read access. This is to prevent the updatedb database from indexing your personal files. There is an empty file in /var/spool/cron/cron.daily, whose timestamp probably indicated that your computer was off when the crondaily script normally runs, so it ran then.
Anyway, this sounds normal and doesn't indicate a security problem.
|
|
|
03-27-2007, 01:17 AM
|
#7
|
Member
Registered: Mar 2007
Posts: 119
Rep:
|
Yes, good point about not being root as I use slocate really, I have to be root to updatedb. But in the OP's case try running updatedb as a normal user first, well it will index your files that way. So, make a new user which is only in its own group, then updatedb
I can only imagine if this is normal that SuSE uses locate non secure and secures it using this find method that does not give you a full locate database.
Secure locate knows about my files in /root, but if a user asks to locate a file that happens to be in /root only, it will not report back that file.
slocate is a sgid file though, so there are arguments for and against slocate.
Last edited by Zention; 03-27-2007 at 01:24 AM.
|
|
|
03-27-2007, 06:19 AM
|
#8
|
Member
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453
Original Poster
Rep:
|
Quote:
Originally Posted by Zention
I would investigate further. Run updatedb yourself from a root account and then go watch top for a bit, if find pops up then yes that is the most likely reason, if not then you are back to worrying about being compromised.
|
Thanks a whole lot Zention !
I just tried what you told me , and when I ran top while updatedb is in the background , this find popped up again and HDD usage had risen like the same way it had the last time...
Actually a stone fell from my chest after I've known that this was totally harmeless probably I'm too paranoid , *huuw*
about me asking , why so much daemons are there is because when I run netstat without any arguments
I get dozens of lines indicating that some proccesses are openning sockets and a "connected" label appears right next to them , but when I ran netstat -atpu (or a similiar arg combination) then I get the "real" sockets and their status etc
another thing that added to the confusion is the fact that the disk cache (thought I'm not clearly getting what the purpose of it is) is counted as used space while apparently it denotes "free memory"
finally , thanks to everybody who replied !
|
|
|
03-27-2007, 09:59 AM
|
#9
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
I read the part of the original message about running as root, and wasn't referring to using "sudo updatedb". You run updatedb as root unless you set it up to index your personal home directory files, but I doubt that is the case. Actually, updatedb is normally run daily and you only run it manually after first installing, or after updating a package, if you want to locate something in the package. ( But on SuSE, rpm -ql will give you the same info. )
I don't even have the slocate package, and it may be that slocate is called locate. There is an option (the default) to run updatedb as the nobody user so personal files aren't indexed in the first place.
|
|
|
All times are GMT -5. The time now is 05:59 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|