Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been noticing some odd system behavior. I thought about running rkhunter. I ended up running all test. I have noticed some mention regarding " white listed" bin files. If that is the case I would have thought that going to the location of the file would show me a script; instead, I see garbled code. One of the alerts is:
Code:
[19:03:29] /usr/bin/ldd [ Warning ]
[19:03:29] Warning: The file properties have changed:
[19:03:29] File: /usr/bin/ldd
[19:03:29] Current hash: a4338e71aa17969f475d39cee7201fc7e5a8eea6
[19:03:29] Stored hash : 32b0f6e26bc337becb5e4539c8890180607361c4
[19:03:29] Current inode: 1325260 Stored inode: 1305802
[19:03:29] Current file modification time: 1286877310 (12-Oct-2010 04:55:10)
[19:03:29] Stored file modification time : 1276523570 (14-Jun-2010 08:52:50)
[19:03:29] Info: Found file '/usr/bin/ldd': it is whitelisted for the 'script replacement' check.
I actually have warnings in a few of the test sections. Could anyone go through these results with me?
opened via nano
Also, I get the following warning:
Code:
[19:03:37] /usr/bin/whatis [ Warning ]
[19:03:37] Warning: The file properties have changed:
[19:03:37] File: /usr/bin/whatis
[19:03:37] Current hash: f960f4d7258e133459ee6847b18a4a02ec4ba0e9
[19:03:37] Stored hash : fc36c4e98ee1bb3ffd86a4069482bbcefd33f99d
[19:03:37] Current inode: 1305845 Stored inode: 1306884
[19:03:37] Current file modification time: 1286285108 (05-Oct-2010 08:25:08)
[19:03:37] Stored file modification time : 1267525913 (02-Mar-2010 04:31:53)
is this related to a recent system update?
Other odd behavior is with iftop. I used to be able to see a clean 'bandwidth usage" gauge. However, now all I see is a bunch of "q"'s. Also, I am unable to use the history command via sudo ( i was able to do this just 3 days ago), I can use history but to see root actions / sudo stuff I have to run sudo -s.
If you upgrade the system, yes rkhunter will warn you about binaries and scripts that have changed. I suspect this is what it is doing here. Do you know what you upgraded ?
@ TeXmEX : honestly, I just run apt-get upgrade. I have not paid "much" attention to what is being updated. I mostly watch for packages that get placed on hold.
I seem to remember mount returning a much simpler list to me see below. I have noticed that my /tmp is no longer mounted in the correct location. /tmp seems to be mounted on loop0, I might be wrong.
mount result
Code:
$ mount
/dev/sdc6 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
none on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
none on /dev type devtmpfs (rw,mode=0755)
none on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
none on /dev/shm type tmpfs (rw,nosuid,nodev)
none on /var/run type tmpfs (rw,nosuid,mode=0755)
none on /var/lock type tmpfs (rw,noexec,nosuid,nodev)
none on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
/dev/sda1 on /storage0 type ext4 (rw,noexec,nosuid,nodev,noatime,data=writeback,barrier=0,nobh,errors=remount-ro)
/dev/sdb1 on /storage1 type ext4 (rw,noexec,nosuid,nodev,noatime,data=writeback,barrier=0,nobh,errors=remount-ro)
/dev/loop0 on /tmp type ext4 (rw,noexec,nosuid)
/dev/sdc1 on /boot type ext4 (rw)
/dev/sdc7 on /home type ext4 (rw)
/dev/sdc13 on /opt type ext4 (rw)
/dev/sdc10 on /srv type ext4 (rw)
/dev/sdc8 on /usr type ext4 (rw)
/dev/sdc11 on /var type ext4 (rw)
/dev/sdc12 on /var/log type ext4 (rw)
/dev/sdc9 on /usr/local type ext4 (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
/home/mrmunkey/.Private on /home/mrmunkey type ecryptfs (ecryptfs_sig=0a5567186eb74ec8,ecryptfs_fnek_sig=70dedbe9adce8f7e,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)
gvfs-fuse-daemon on /home/mrmunkey/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=mrmunkey)
I am looking into a few things regarding chroot to see if I am in a chrooted envir. Any way, I appreciate you guys helping out.
well it would appear I was incorrect. I did not know that "cat" would return garbles code. Once I opened ldd in nano I could read it.
If, on x86, running 'file' on an object does not return "text" or "script" but returns "ELF" then you're not supposed to read a file in this way nor use that as a means to verify its integrity. Best use the tools your distributions comes with. See http://www.linuxquestions.org/questi...4/#post4098450 for comments on 'debsigs, 'debsig-verify' and 'debsums' but more importantly http://manpages.ubuntu.com/manpages/...debsums.1.html especially DPkg::Post-Invoke:: part.
Quote:
Originally Posted by mrmnemo
now all I see is a bunch of "q"'s.
I'm sure there's a logical explanation for display problems like that.
I took a look at the post you had pointed out. Afterwards, I checked out the SecureApt wiki here. While I only breezed over it, I did notice that some files will NOT have a hash to check. I find that odd.
Any way, I would have thought that packages such as binutils and x server stuff would have them.
After installing debsum ( wasnt installed by default ), I ran the following:
Code:
sudo debsums -a -s
debsums: no md5sums for binutils
debsums: changed file /etc/bluetooth/rfcomm.conf (from bluez package)
debsums: no md5sums for coverchooser
debsums: changed file /etc/apt/apt.conf.d/70debconf (from debconf package)
debsums: no md5sums for gawk
debsums: changed file /etc/kismet/kismet.conf (from kismet package)
debsums: no md5sums for libaudio2
debsums: no md5sums for medibuntu-keyring
debsums: no md5sums for netbase
debsums: changed file /etc/privoxy/config (from privoxy package)
debsums: changed file /etc/sysctl.conf (from procps package)
debsums: changed file /etc/psad/psad.conf (from psad package)
debsums: no md5sums for xserver-xorg-input-all
debsums: no md5sums for xserver-xorg-video-all
The things that caught my attention: gawk, netbase, medibuntu-keyring( i thought that was set up when I exported the medibuntu key), xserver, and binutils. I would have thought those would have all had checksums in the release and packages file. Or, am I wrong in assuming that debsum would check these files ( release/packages ) for the hash?
I kinda understand that apt will check the signature of packages. However, thats really not going to help to verify a package thats already been installed is it? Correct me if I am wrong, but it seems that apt will only verify the package while its pulling it down frfom the repo; once pulled, it just forgets about it in a secure sense?
Just trying to make sense of all this.
unSpawn:
Quote:
Awww, relax. We're in town for the rest of the year...
I am not sure what you are claiming is the odd system behaviour; did you mean the files that you couldn't read, the situation with mount, the white listed files, or was there something like the system running slow, or other behaviour, that I am missing?
Quote:
example of "garbled" text...
What you are doing there is reading a binary file with a utility that doesn't really work for reading binary files. If you want to use, eg, ghex you'll get something that hasn't been 'garbled' by the reader. but there is still no guarantee that means that you will be able to understand anything worthwhile out of it.
Quote:
...mount result...
That configuration is over-involved for my taste, but that's not the same as saying that there is anything wrong with it. I'm not quite sure how we got to an over-involved mount configuration from where we were in the first post, which didn't mention mount at all.
Quote:
Other odd behavior is with iftop. I used to be able to see a clean 'bandwidth usage" gauge. However, now all I see is a bunch of "q"'s.
Is there any possibility that, either because of a problem with the upgrade or something else that you may have done deliberately, language/locale settings may have changed, so that you now have a problem with displaying, eg, accented characters?
@salasi:
Actually its dropped now. BUt the thing I noticed the most was an increased CPU usage even when idle. However, upon checking with top, I couldnt see where all the usage was coming from.
Regarding the mount stuff: I posted that because a few things that had changed there which I was not responsible for. Most namely, the way that /tmp was mounted. Oddly, a few days prior I HAD done some mount changes ( with unSpawns help). What you see in the post was not what I did; however, your right, its not directly related. I just thought it "odd" behavior. I actually have a unmounted partition now that used to be my /tmp dir. Moreover, the unmounted partition was mounted after reboots and remounts to check that the things I did would stick.
While I may not be an expert, I like to think I can remember some of the commands I have run on my box. That said, I made no changes to my local settings ( languages, etc..). So, I cant figure out what would have changed the behavior and look of iftop.
You brought up something else about the fstab file. It wasnt so complicated before. I mean, I dont remember there being all of those virtual mounts ( i think thats what they are). Actually, since I have been trying to learn about how partitions are mounted, just ignor my comments on that stuff.
In short, I find the above to be odd. Also, I find it odd / improbable that I have a rootkit running ( not that I know enough to id it). I have very likely changed something; although, I honestly have no idea what it could have been. My leaning towards the whole " Egad!! I been hacked!!" things is due to traffic shown in the logs of my router upstairs, network connection behavior, and some odd hits while running backtrack on my laptop. I havce not re-imaged my machine because I thought it would be a good lesson in forensics; or at least, i would be able to learn how to track system changes.
Oct 26 07:46:13 mrmunkey-desktop su[24102]: Successful su for proxy by root
Oct 26 07:46:13 mrmunkey-desktop su[24102]: + ??? root:proxy
I wasnt even awake when that command was run. Moreover, I am not running a proxy ( not knowingly ). I also do not seem to know what command exactly was run. checking services shows no proxy running ( thought it might have been privoxy, tor, etcc... but they are not running).
After installing debsum ( wasnt installed by default ),
I thought the manual said to run 'debsums_init' after installing?
Quote:
Originally Posted by mrmnemo
The things that caught my attention: gawk, netbase, medibuntu-keyring( i thought that was set up when I exported the medibuntu key), xserver, and binutils. I would have thought those would have all had checksums in the release and packages file. Or, am I wrong in assuming that debsum would check these files ( release/packages ) for the hash?
Not all packages seem to come with sums (mentioned on Debian mailing lists and elsewhere) but they can be generated locally after (re-)installation ('man debsums') and on installation using a post-install invoke mantra in /etc/apt/apt.conf.d/ which will be dropped there once debsums is installed.
Quote:
Originally Posted by mrmnemo
I kinda understand that apt will check the signature of packages. However, thats really not going to help to verify a package thats already been installed is it? Correct me if I am wrong, but it seems that apt will only verify the package while its pulling it down frfom the repo; once pulled, it just forgets about it in a secure sense?
No it doesn't "forget" about it. It just needs some help.
I am not running a proxy ( not knowingly ). I also do not seem to know what command exactly was run. checking services shows no proxy running ( thought it might have been privoxy, tor, etcc... but they are not running).
The message (of the informational level) is AFAIK best read as "$DATE $HOSTNAME $PROCESS[$PID]: Successful su TO $USERNAME FROM $ORIGIN", meaning a process that ran with root privileges used 'su' to use an account with (generally speaking) less privileges. And while an account name may give you clues wrt its purpose that does not always need to be the case. Running 'getent group proxy' and 'getent passwd proxy' should show account details.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
