Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-05-2006, 10:15 PM
|
#1
|
|
LQ Newbie
Registered: Feb 2006
Distribution: RHEL 4
Posts: 15
Rep: 
|
strange directory entry in Desktop
I am running RHEL 4 and the Gnome desktop. When I switch to the Desktop directory and do an "ls", I notice two strange listings. One is" larry-004369ec04.desktop and the other is greasy-000e4d4d26.desktop I don't know what to make of it. Is this some kind of security issue?
|
|
|
|
|
06-06-2006, 07:11 AM
|
#2
|
|
LQ Addict
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,908
|
If there are no authorized users of your system named either 'larry' or 'greasy', then you probably have a security issue.
Start reading howtos and tutorials on how to harden your system against intrusion.
Before installing/configuring software to harden the system, make certain the system is clean. Take the system off-line, backup personal files to removable media, then format your partitions and re-install the OS so that you can be assured that the software you do have installed has not been compromised, and that there are no strangers hidden files in the system.
|
|
|
|
|
06-06-2006, 07:54 AM
|
#3
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
Uhhmm, before we enter full-scale nuclear destruction mode I'd suggest running "fuser", "file" and "stat" on the files to give us some more details. Fuser should show if it's in use right now, file tries to determine what type this is (like safe to read ASCII) and stat gives you details about ownership and access times. please post *exact* output.
|
|
|
|
|
06-07-2006, 08:56 PM
|
#4
|
|
LQ Newbie
Registered: Feb 2006
Distribution: RHEL 4
Posts: 15
Original Poster
Rep:
|
Sorry for the delay in the reply. I've had some personal issues with my son. "larry" is an ASCII file and "greasy" is a UTF-8 unicode text file. I will post the exact output when I get to the Linux box. Where do I download "fuser" from? I get an error that it doesn't exist? The other two worked fine and I'll post the exact output tomorrow.
|
|
|
|
|
06-08-2006, 04:42 AM
|
#5
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
Sorry for the delay in the reply. I've had some personal issues with my son.
Don't be. It was only two days ago and I don't see no real urgency or security issues here.
"larry" is an ASCII file and "greasy" is a UTF-8 unicode text file.
...which means you probably can read contents safely.
Where do I download "fuser" from? I get an error that it doesn't exist?
Maybe it isn't in your $PATH statement. "slocate fuser" should indicate where it lives, I'd say /sbin.
...now say you would "slocate -r ".*/.*\.desktop"" (w/o outer quotes), pick one, and compare it with these two, is the content in any of those two kinda similar? If it is then you could do "rpm -q --whatprovides original_file_you_picked_for_comparison" to get the name(s) of package with this similar content and so (narrow down and) determine what app(s) would write stuff like that.
Last edited by unSpawn; 06-08-2006 at 04:43 AM.
|
|
|
|
|
06-08-2006, 12:14 PM
|
#6
|
|
LQ Newbie
Registered: Feb 2006
Distribution: RHEL 4
Posts: 15
Original Poster
Rep:
|
Thank you. Here is an exact copy from the stat and file output. I'll do the fuser next:
[walkup@NMR400 ~/Desktop]$ file larry-004369ec04.desktop
larry-004369ec04.desktop: ASCII text
[walkup@NMR400 ~/Desktop]$ file greasy-000e4d4d26.desktop
greasy-000e4d4d26.desktop: UTF-8 Unicode text
[walkup@NMR400 ~/Desktop]$ stat larry-004369ec04.desktop
File: `larry-004369ec04.desktop'
Size: 228 Blocks: 16 IO Block: 4096 regular file
Device: 302h/770d Inode: 5647599 Links: 1
Access: (0700/-rwx------) Uid: ( 1001/ walkup) Gid: ( 31/ nmr)
Access: 2006-06-07 21:45:15.727746776 -0400
Modify: 2006-04-21 20:52:32.000000000 -0400
Change: 2006-04-21 20:52:32.000000000 -0400
[walkup@NMR400 ~/Desktop]$ stat greasy-000e4d4d26.desktop
File: `greasy-000e4d4d26.desktop'
Size: 3652 Blocks: 16 IO Block: 4096 regular file
Device: 302h/770d Inode: 5647483 Links: 1
Access: (0700/-rwx------) Uid: ( 1001/ walkup) Gid: ( 31/ nmr)
Access: 2006-06-07 21:45:48.325791120 -0400
Modify: 2006-02-08 08:17:37.000000000 -0500
Change: 2006-02-08 08:17:41.000000000 -0500
[walkup@NMR400 ~/Desktop]$
|
|
|
|
All times are GMT -5. The time now is 08:25 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
