Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm experiencing very very strange problems, they don't seem related, but they are all happening at a sudden:
- opera can't remember settings anymore: suddenly my navigation bars had changed, when I move the buttons back like they were, they are wrong again the next time I start the computer... no errors when starting opera from the terminal. As root the same happens
- tuxracer suddenly doesn't start anymore (it worked yesterday!). When trying to start it from a terminal:
Code:
Tux Racer 0.61 -- a Sunspire Studios Production (http://www.sunspirestudios.com)
(c) 1999-2000 Jasmin F. Patry <jfpatry@sunspirestudios.com>
"Tux Racer" is a trademark of Jasmin F. Patry
Tux Racer comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See http://www.gnu.org/copyleft/gpl.html for details.
Error: Could not open /dev/nvidiactl because the permissions
are too resticitive. Please see the FREQUENTLY ASKED QUESTIONS
section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps
to correct.
Segmentatie fout
The root can't find tuxracer.
- Fluxbox is slow: the mouse doesn't move smoothly, even as root
- Gkrellm was suddenly uninstalled. That really doesn't make sense, I didn't uninstall gkrellm!
- Xmms forgot what skin it had
- Sometimes the processor is suddenly working at 100 %, while no app seems to be crashed. I really can't find out why: gnome system monitor says it's X. I can only stop it by rebooting.
This day I've made a new user on my system, and I wanted to copy all the config-files from an old user to the new user. That caused quite some hassle, and I've changed a lot of dependencies to get it done. I've also removed that user. Does anyone know anything about damaging the filesystem with such things? I tried e2fsck -f -c on my home directory, but nothing found...
It also looks like a virus, does anyone know about a virus?
I have Debian sarge, with gnome, kde, enlightenment, and fluxbox, a custom 2.6.7 kernel, nvidia drivers. Does anyone have an idea what's going on?
Hope anyone can help me, but I'm afraid not... Or can anyone help guessing what could be wrong?
Corien
Last edited by sterrenkijker; 08-12-2004 at 04:07 PM.
it may not be a virus. it may be an intruder, but it is strange that they would just go around messing with your settings. check out snort, it'll monitor activity on your system.
If you want to ensure that it isn't a virus, you can install f-prot-installer (available in testing and unstable). Then run update-f-prot and see the man page for f-prot to find out the command syntax and available options.
Given that you were trying to move/modify config files, it certainly could be that you borked your configuration. Try creating a new user from scratch(without copying any configs and stuff) and see if the user has the same problems. I'd also take a close look at the ouput of the top command to see what is consuming CPU time as well as the output of ps aux to look for any abnormal processes. Definitely run chkrootkit. Snort is great at detecting attacks in their initial stages, but once someone has gained access to the system, there are probably better tools to use.
qwijibow already mentioned mentioned this but I had the same graphics acceleration problem with Mandrake 9.0 and 9.1. Fortunately, I haven't had that problem with 9.2 and now 10. You should do as the output suggests: "Please see the FREQUENTLY ASKED QUESTIONS section of /usr/share/doc/NVIDIA_GLX-1.0/README for steps to correct". It can cause some very annoying things to happen, like preventing anyhting that uses accelerated graphics from working.
Thanks for the many replies. I changed the permissions of nvidiactl, and now tuxracer runs again.
I found the problem with opera: opera got confused by the new username, I saw the opera config-dir was recreated with the directory of that old user. Removing the configdirectory and starting over solved it. I did that with fluxbox and gnome too and that solved most problems.
Chkrootkit didn't find anything, only the first time I ran it 3 hidden processes, and a warning about a possible trojan horse, but the next time I ran it wasn't found. Could that mean anything? F-prot didn't find anything (search only took a second, that's really short...???), snort didn't report anything unusual. I think I have just messed things up with that permissions. I'm not gonna do that again!
Again thanks for the replies. I'm really happy I don't have to reinstall things again!
Originally posted by sterrenkijker Chkrootkit didn't find anything, only the first time I ran it 3 hidden processes, and a warning about a possible trojan horse, but the next time I ran it wasn't found. Could that mean anything?
It might. However, chkrootkit is prone to false warnings about hidden processes, so that isn't that odd. The fact that it didn't output the same warnings on the second scan is usually a sign that it is indeed a false alarm (chkrootkit compares the output of the ps command with the entries in /proc, so if a short-lived process terminates in that time, it results in a false positive). Could you please post the chkrootkit output next time you see that message, just to be sure.
Down here is the output of my chkrootkit. It looks fine to me, but I'm quite a noob on this subject. I'm quite sure I have found what this hidden processes are related to: xmms! When I run xmms I find 3 processes, when I stop the music I get 2 processes, and when I close xmms there are no hidden processes. I tried this several times to ensure this was the proces. I completely reinstalled xmms but now I even find 4 hidden processes when listening something in xmms, and still 2 when xmms is not playing. What could that mean?
Most problems are solved now, and many seemed to be related to my copying and changing permissions of user config files. If this hidden processes don't mean anything, I think I'll just wait and see if more unexplainable things happen ... Hopefully it was just my own fault at the end.
Thanks for your help again.
Corien
Code:
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
You have 3 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no packet sniffer sockets
lo: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.