Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
07-25-2006, 02:41 AM
|
#1
|
Member
Registered: Nov 2003
Distribution: SUSE
Posts: 31
Rep:
|
Two hidden files in /etc that reappear
Hi, worrying about a hidden file and directory that appear in my server's /etc directory. I noticed them after running rkhunter and it wrote a warning about a pair of hidden files in /etc. If the file system and ls are to be trusted, one hasn't been touched in almost 2 years; However, I deleted .java and it reappeared (and the names... well... they make me feel uneasy!). Neither rkhunter nor chkrootkit find any rootkits or other malware.
The server runs Mandrake 10.1 (long story), but I've done my best to secure it. Only two services are outward-facing (ssh & httpd) with a few more ports forwarded. It does have Java 1.5.0-04 installed, but none of the automated systems use it and I almost never browse the Web with this box. Anybody know what's up with this?
[root@server etc]# ls -las | grep java
4 drwxr-xr-x 3 root root 4096 2006-06-11 03:38 .java/
[root@server etc]# ls -las | grep pwd
4 -rw-r--r-- 1 root root 134 2003-07-30 04:13 pwdb.conf
0 -rw------- 1 root root 0 2004-08-23 17:15 .pwd.lock
[root@server etc]# ls -lasR .java
.java:
total 16
4 drwxr-xr-x 3 root root 4096 2006-06-11 03:38 ./
8 drwx--x--x 71 root adm 8192 2006-06-29 00:28 ../
4 drwxr-xr-x 2 root root 4096 2006-06-11 03:38 .systemPrefs/
.java/.systemPrefs:
total 8
4 drwxr-xr-x 2 root root 4096 2006-06-11 03:38 ./
4 drwxr-xr-x 3 root root 4096 2006-06-11 03:38 ../
0 -rw-r--r-- 1 root root 0 2006-06-11 03:38 .system.lock
0 -rw-r--r-- 1 root root 0 2006-06-11 03:38 .systemRootModFile
[root@server etc]# uname -a
Linux [Hostname] 2.6.3-7mdksecure #1 SMP Wed Mar 17 14:42:34 CET 2004 i686 GNU/Linux
|
|
|
07-25-2006, 06:37 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
yeah they will reappear and are fine. rkhunter always hits them, just ignore them. some distributions of rkhunter have been patched to ignore them, but not many.
|
|
|
07-25-2006, 07:27 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
There actually is a config setting in rkhunter.conf for it.
It already has the /etc/.java part covered, just need to uncomment it...
some distributions of rkhunter have been patched to ignore them
Interesting. Name me one please? TIA
|
|
|
07-25-2006, 07:57 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
google showed a changelog for a number of suse rpms that had addressed this as a bug.
|
|
|
07-25-2006, 08:11 AM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
Ah. I See. Thanks for the info*.
You'll find out why RSN ;-p
|
|
|
07-25-2006, 04:51 PM
|
#6
|
Member
Registered: Nov 2003
Distribution: SUSE
Posts: 31
Original Poster
Rep:
|
Thanks all
Glad to know that my server hasn't been compromised or something.
|
|
|
All times are GMT -5. The time now is 03:32 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|