On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
>
>>From the looks of it, it could have just been a false positive. ive seen
> rkhunter report a few, not very often though. I'd run rkhunter again,
> install chkrootkit, run that, see if the two match up.
>
> As far as debsums reporting back on the rkhunter files, those will
> probably not match, as they can get updated.
>
I ran rkhunter again, and then for good measure I aptitude --purged
it, reinstalled, and ran again. And then I thought maybe the whole
thing was compromised, so I purged it again, installed rkhunter 1.30
from sourceforge, and ran again. And I also ran chkrootkit. In all
cases they showed nothing happening, except for warning me that some
of my /bin executables had been replaced by scripts -- stuff like
egrep, fgrep etc.
So perhaps it was just a false positive. I'm going to read up on
security stuff now, so maybe I'll have some idea how to proceed the
next time.
Thanks for your help,
Tyler
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 01:21 PM
Douglas Allan Tutty
/bin/login listening?
On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
> I ran rkhunter again, and then for good measure I aptitude --purged
> it, reinstalled, and ran again. And then I thought maybe the whole
> thing was compromised, so I purged it again, installed rkhunter 1.30
> from sourceforge, and ran again. And I also ran chkrootkit. In all
> cases they showed nothing happening, except for warning me that some
> of my /bin executables had been replaced by scripts -- stuff like
> egrep, fgrep etc.
>
> So perhaps it was just a false positive. I'm going to read up on
> security stuff now, so maybe I'll have some idea how to proceed the
> next time.
>
Its tricky. If you have been rooted, you can't trust anything on the
system, including aptitude. As for reading, try the package harden-doc.
Good luck.
Doug.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 01:47 PM
Tyler Smith
/bin/login listening?
On 2007-07-29, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
> On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
>> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
>
>> I ran rkhunter again, and then for good measure I aptitude --purged
>> it, reinstalled, and ran again. And then I thought maybe the whole
>> thing was compromised, so I purged it again, installed rkhunter 1.30
>> from sourceforge, and ran again. And I also ran chkrootkit. In all
>> cases they showed nothing happening, except for warning me that some
>> of my /bin executables had been replaced by scripts -- stuff like
>> egrep, fgrep etc.
>>
>> So perhaps it was just a false positive. I'm going to read up on
>> security stuff now, so maybe I'll have some idea how to proceed the
>> next time.
>>
>
> Its tricky. If you have been rooted, you can't trust anything on the
> system, including aptitude. As for reading, try the package harden-doc.
>
That's what I was thinking. But is there any way a rootkit could
interfere with my downloading and compiling from source? I was hoping
that doing things 'by hand' would limit the possibilities for
compromising the result.
I will look at harden-doc. I'm working through the Linux how-to
security quick start at the moment.
Thanks,
Tyler
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 02:23 PM
Celejar
/bin/login listening?
On 29 Jul 2007 13:47:30 GMT
Tyler Smith <tyler.smith@mail.mcgill.ca> wrote:
> On 2007-07-29, Douglas Allan Tutty <dtutty@porchlight.ca> wrote:
> > On Sun, Jul 29, 2007 at 12:48:16PM +0000, Tyler Smith wrote:
> >> On 2007-07-29, Jeff D <fixedored@gmail.com> wrote:
> >
> >> I ran rkhunter again, and then for good measure I aptitude --purged
> >> it, reinstalled, and ran again. And then I thought maybe the whole
> >> thing was compromised, so I purged it again, installed rkhunter 1.30
> >> from sourceforge, and ran again. And I also ran chkrootkit. In all
> >> cases they showed nothing happening, except for warning me that some
> >> of my /bin executables had been replaced by scripts -- stuff like
> >> egrep, fgrep etc.
> >>
> >> So perhaps it was just a false positive. I'm going to read up on
> >> security stuff now, so maybe I'll have some idea how to proceed the
> >> next time.
> >>
> >
> > Its tricky. If you have been rooted, you can't trust anything on the
> > system, including aptitude. As for reading, try the package harden-doc.
> >
>
> That's what I was thinking. But is there any way a rootkit could
> interfere with my downloading and compiling from source? I was hoping
> that doing things 'by hand' would limit the possibilities for
> compromising the result.
In theory, certainly. Your downloading agent is probably invoking
system libraries, which may be compromised and substituting bad
source. The system may not even be running your download agent at
all! Or it may subsequently lie to you and assure you that it's
running the downloaded app when it really isn't. Whether all this is
at all plausible is a different question.
> I will look at harden-doc. I'm working through the Linux how-to
> security quick start at the moment.
>
> Thanks,
>
> Tyler
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 02:30 PM
John Hasler
/bin/login listening?
> That's what I was thinking. But is there any way a rootkit could
> interfere with my downloading and compiling from source?
Of course. They could have trojaned any of the tools you would use. _No_
software on a rooted box can be trusted. Including the shell.
--
John Hasler
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 03:56 PM
Tyler Smith
/bin/login listening?
On 2007-07-29, Celejar <celejar@gmail.com> wrote:
>>
>> That's what I was thinking. But is there any way a rootkit could
>> interfere with my downloading and compiling from source? I was hoping
>> that doing things 'by hand' would limit the possibilities for
>> compromising the result.
>
> In theory, certainly. Your downloading agent is probably invoking
> system libraries, which may be compromised and substituting bad
> source. The system may not even be running your download agent at
> all! Or it may subsequently lie to you and assure you that it's
> running the downloaded app when it really isn't. Whether all this is
> at all plausible is a different question.
>
So if I'm compromised nothing is safe, and the only guaranteed way to
clear this up is to format my harddrive and reinstall. Given that the
only evidence of a problem is a warning about /bin/login listening
from rkhunter, which happened only once, and I have had no other
problems with my net connection or general performance of my laptop,
let alone mysterious withdrawals from my bank account or other signs
of stolen passwords, what should I be doing?
>From the advice received and what I'm reading, I'm getting two very
different messages - I must reinstall to be 100% certain that I'm
safe, and while I can't be 100% certain I'm safe it's pretty unlikely
that I have a real problem.
What would you do in my situation?
Thanks,
Tyler
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 04:35 PM
Douglas Allan Tutty
/bin/login listening?
On Sun, Jul 29, 2007 at 03:56:08PM +0000, Tyler Smith wrote:
> So if I'm compromised nothing is safe, and the only guaranteed way to
> clear this up is to format my harddrive and reinstall. Given that the
> only evidence of a problem is a warning about /bin/login listening
> from rkhunter, which happened only once, and I have had no other
> problems with my net connection or general performance of my laptop,
> let alone mysterious withdrawals from my bank account or other signs
> of stolen passwords, what should I be doing?
>
> >From the advice received and what I'm reading, I'm getting two very
> different messages - I must reinstall to be 100% certain that I'm
> safe, and while I can't be 100% certain I'm safe it's pretty unlikely
> that I have a real problem.
>
> What would you do in my situation?
>
Try this:
Boot the box from something like the install CD, go to a shell, mount
your / partition ro, noexec.
I think the install CD has md5sum installed. Run:
#md5sum /bin/login.
On my i386, I get:
2ee32ff74e474c4d9fc9df6f1460980f /bin/login
If /bin/login is fine, then I'd forget about it.
If it differs, I'd wipe the drive and reinstall; from backups before
your first indication of a problem. Then examine the difference between
that backup's data and your most recent backup.
Actually, to put your mind at ease, I've attached a file bin-MD5SUMS
which is the output of:
$md5sum /bin/* > bin-MD5SUMS
Put this onto a floppy and mount it when you boot your install CD. Then
edit it so that, for example the /bin/login reads /mnt/bin/login.
You can then verify the whole /bin with
#md5sum -c bin-MD5SUMS
Douglas Allan Tutty, 29.07.2007 18:35:
> Boot the box from something like the install CD, go to a shell, mount
> your / partition ro, noexec.
>
> I think the install CD has md5sum installed. Run:
> #md5sum /bin/login.
>
> On my i386, I get:
>
> 2ee32ff74e474c4d9fc9df6f1460980f /bin/login
You should also tell the exact version of the "login" package you are using.
Otherwise this number is useless.
With 1:4.0.18.1-11 on i386 I get this:
> 004a41bb9196f1888bd89c2245910f46 /bin/login
Regards, Mathias
--
debian/rules
07-29-2007, 04:51 PM
Douglas Allan Tutty
/bin/login listening?
On Sun, Jul 29, 2007 at 06:40:05PM +0200, Mathias Brodala wrote:
> You should also tell the exact version of the "login" package you are using.
> Otherwise this number is useless.
Sorry. Stock, up-to-date Etch. Aptitude shows it as version
1:4.0.18.1-7.
Doug.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
07-29-2007, 06:27 PM
Tyler Smith
/bin/login listening?
On 2007-07-29, Mathias Brodala <info@noctus.net> wrote:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enig6620D8D79CB50A9B1AFF7AB2
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> Hi Douglas.
>
> Douglas Allan Tutty, 29.07.2007 18:35:
>> Boot the box from something like the install CD, go to a shell, mount
>> your / partition ro, noexec.
>>=20
>> I think the install CD has md5sum installed. Run:
>> #md5sum /bin/login.
>>=20
>> On my i386, I get:
>>=20
>> 2ee32ff74e474c4d9fc9df6f1460980f /bin/login
>
> You should also tell the exact version of the "login" package you are usi=
> ng.
> Otherwise this number is useless.
>
> With 1:4.0.18.1-11 on i386 I get this:
>
>> 004a41bb9196f1888bd89c2245910f46 /bin/login
>
Which is just what I got too. I found an old Mepis CD, booted into
that, mounted my / partition, ran md5sum on /bin/login, and out came
the same answer, for the same version of /bin/login.
So I'm going to proceed as if I've been lucky, have not been
rootkit-ed, and will continue on with hardening my laptop without
reinstalling.
Thanks for your help!
Tyler
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
/bin/login listening?
