LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-25-2006, 02:41 AM   #1
The MCP
Member
 
Registered: Nov 2003
Distribution: SUSE
Posts: 31

Rep: Reputation: 15
Two hidden files in /etc that reappear


Hi, worrying about a hidden file and directory that appear in my server's /etc directory. I noticed them after running rkhunter and it wrote a warning about a pair of hidden files in /etc. If the file system and ls are to be trusted, one hasn't been touched in almost 2 years; However, I deleted .java and it reappeared (and the names... well... they make me feel uneasy!). Neither rkhunter nor chkrootkit find any rootkits or other malware.

The server runs Mandrake 10.1 (long story), but I've done my best to secure it. Only two services are outward-facing (ssh & httpd) with a few more ports forwarded. It does have Java 1.5.0-04 installed, but none of the automated systems use it and I almost never browse the Web with this box. Anybody know what's up with this?

[root@server etc]# ls -las | grep java
4 drwxr-xr-x 3 root root 4096 2006-06-11 03:38 .java/
[root@server etc]# ls -las | grep pwd
4 -rw-r--r-- 1 root root 134 2003-07-30 04:13 pwdb.conf
0 -rw------- 1 root root 0 2004-08-23 17:15 .pwd.lock
[root@server etc]# ls -lasR .java
.java:
total 16
4 drwxr-xr-x 3 root root 4096 2006-06-11 03:38 ./
8 drwx--x--x 71 root adm 8192 2006-06-29 00:28 ../
4 drwxr-xr-x 2 root root 4096 2006-06-11 03:38 .systemPrefs/

.java/.systemPrefs:
total 8
4 drwxr-xr-x 2 root root 4096 2006-06-11 03:38 ./
4 drwxr-xr-x 3 root root 4096 2006-06-11 03:38 ../
0 -rw-r--r-- 1 root root 0 2006-06-11 03:38 .system.lock
0 -rw-r--r-- 1 root root 0 2006-06-11 03:38 .systemRootModFile
[root@server etc]# uname -a
Linux [Hostname] 2.6.3-7mdksecure #1 SMP Wed Mar 17 14:42:34 CET 2004 i686 GNU/Linux
 
Old 07-25-2006, 06:37 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
yeah they will reappear and are fine. rkhunter always hits them, just ignore them. some distributions of rkhunter have been patched to ignore them, but not many.
 
Old 07-25-2006, 07:27 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607
There actually is a config setting in rkhunter.conf for it.
It already has the /etc/.java part covered, just need to uncomment it...


some distributions of rkhunter have been patched to ignore them
Interesting. Name me one please? TIA
 
Old 07-25-2006, 07:57 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
google showed a changelog for a number of suse rpms that had addressed this as a bug.
 
Old 07-25-2006, 08:11 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607
Ah. I See. Thanks for the info*.
You'll find out why RSN ;-p
 
Old 07-25-2006, 04:51 PM   #6
The MCP
Member
 
Registered: Nov 2003
Distribution: SUSE
Posts: 31

Original Poster
Rep: Reputation: 15
Thanks all

Glad to know that my server hasn't been compromised or something.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hidden Files coold8 Linux - General 5 04-28-2005 12:26 AM
home directory files gone, hidden files remain Grasshopper Linux - Security 12 04-10-2005 09:23 PM
hidden files Alwyn Linux - Newbie 2 01-27-2005 01:20 AM
Hidden Files Alien18 Linux - Newbie 4 08-12-2004 10:38 PM
M$ CD w/ Hidden files???? trey85stang Linux - Newbie 3 05-04-2004 10:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration