FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 08-22-2008, 04:09 PM
"Ashley Benton"
 
Default How to know if there was any change in my system yesterday?

Hi,
Yesterday I used chm2pdf to be able to read a document. I had this strange message rm: permission to /root and every other system folders. I answered no. Two folders (VzLinuz and Lost+found) denied permission but the others didn't. When it did that a second time I used control D to stop the process. I stopped it but the computer wasn't working anymore(it was frozen). I rebooted and use clamav to check for viruses and everything seems fine and is working now but I'd like to find out if there had been any changed to the system.

I wasn't log as root but as normal user when it happened so I am wondering why all the system directory didn't denied permission as I thought it would.
My question now is how can I check if there was any change done to the system yesterday or if there was any hidden files installed.

I am using Ubuntu 8.04.
Any help would be appreciated
thank you
Meg


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-23-2008, 04:51 PM
"Brian McKee"
 
Default How to know if there was any change in my system yesterday?

On Fri, Aug 22, 2008 at 12:09 PM, Ashley Benton <chuaukantli@gmail.com> wrote:
> Hi,
> Yesterday I used chm2pdf to be able to read a document. I had this strange
> message rm: permission to /root and every other system folders. I answered
> no

Were you running the program as root or via sudo?

Did you start it from the command line? It might be enlightening to
review your .bash_history file.

A find command would show new files since yesterday, but wouldn't show
deletions etc....

rootkithu hunter and others would spot changes if you'd been running
those programs *before* you had a problem. Checking after the fact is
a chicken-and-egg problem, since you can't trust the system to verify
itself if the system is untrustworthy.

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-23-2008, 06:38 PM
"Verde Denim"
 
Default How to know if there was any change in my system yesterday?

On Sat, Aug 23, 2008 at 12:51 PM, Brian McKee <brian.mckee@gmail.com> wrote:

On Fri, Aug 22, 2008 at 12:09 PM, Ashley Benton <chuaukantli@gmail.com> wrote:

> Hi,

> Yesterday I used chm2pdf to be able to read a document. I had this strange

> message rm: permission to /root and every other system folders. I answered

> no



Were you running the program as root or via sudo?



Did you start it from the command line? * It might be enlightening to

review your .bash_history file.



A find command would show new files since yesterday, but wouldn't show

deletions etc....



rootkithu hunter and others would spot changes if you'd been running

those programs *before* you had a problem. *Checking after the fact is

a chicken-and-egg problem, since you can't trust the system to verify

itself if the system is untrustworthy.



Brian
Even though its after the fact, if you installed samhain, it would at least alert you whenever a system file changed. I'm not sure if it can be configured to alert whenever *any* file changed,though. But it would be a good app to have running if you've ever wondered which files are changing in the system.


Jack




--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-24-2008, 12:27 AM
"Ashley Benton"
 
Default How to know if there was any change in my system yesterday?

On Sat, Aug 23, 2008 at 2:38 PM, Verde Denim <tdldev@gmail.com> wrote:



On Sat, Aug 23, 2008 at 12:51 PM, Brian McKee <brian.mckee@gmail.com> wrote:


On Fri, Aug 22, 2008 at 12:09 PM, Ashley Benton <chuaukantli@gmail.com> wrote:

> Hi,

> Yesterday I used chm2pdf to be able to read a document. I had this strange

> message rm: permission to /root and every other system folders. I answered

> no



Were you running the program as root or via sudo?*No I was using the terminal command as a regular user (chm2pdf --webpage ~/desktop/*.chm)





Did you start it from the command line? * It might be enlightening to

review your .bash_history file.
When I type history in the terminal I didn't use the command sudo before that happened but only after.





A find command would show new files since yesterday, but wouldn't show

deletions etc....
It shows that the file srcpkgcache.bin was modified as well as syslog, access_log and dmesg. I will try to find what was modified if I can find a log in var/log






rootkithu hunter and others would spot changes if you'd been running

those programs *before* you had a problem. *Checking after the fact is

a chicken-and-egg problem, since you can't trust the system to verify

itself if the system is untrustworthy.
*It was a private computer and I installed rkhunter only after that had
happened. It found two suspicious files in /dev
(/dev/shm/pulse-shm-3256157084: data and /dev/shm/pulse-shm-31......)
It also found 4 hidden files (/etc/.java* ; /dev/.static* ; /dev/.udev*
; /dev/.initramfs)

I don't know what are the suspicious files yet.
*





Even though its after the fact, if you installed samhain, it would at least alert you whenever a system file changed. I'm not sure if it can be configured to alert whenever *any* file changed,though. But it would be a good app to have running if you've ever wondered which files are changing in the system.

I installed it a few minutes ago and will check the man page to learn how to use it.



Thank you for your answers.
*Meg





--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users




--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-24-2008, 02:57 PM
"Brian McKee"
 
Default How to know if there was any change in my system yesterday?

On Sat, Aug 23, 2008 at 8:27 PM, Ashley Benton <chuaukantli@gmail.com> wrote:
>
> It was a private computer and I installed rkhunter only after that had
> happened. It found two suspicious files in /dev
> (/dev/shm/pulse-shm-3256157084: data and /dev/shm/pulse-shm-31......) It
> also found 4 hidden files (/etc/.java ; /dev/.static ; /dev/.udev ;
> /dev/.initramfs)
> I don't know what are the suspicious files yet.

Look at those files and verify for yourself, but I'm pretty sure you
will find they are fine - they exist on Ubuntu installs normally, and
the rkhunter.conf file will have some commented out options that will
whitelist those files for you once you've confirmed they are ok.

Brian

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 08-25-2008, 01:20 AM
"Ashley Benton"
 
Default How to know if there was any change in my system yesterday?

On Sun, Aug 24, 2008 at 10:57 AM, Brian McKee <brian.mckee@gmail.com> wrote:

On Sat, Aug 23, 2008 at 8:27 PM, Ashley Benton <chuaukantli@gmail.com> wrote:

>

> It was a private computer and I installed rkhunter only after that had

> happened. It found two suspicious files in /dev

> (/dev/shm/pulse-shm-3256157084: data and /dev/shm/pulse-shm-31......) It

> also found 4 hidden files (/etc/.java *; /dev/.static *; /dev/.udev *;

> /dev/.initramfs)

> I don't know what are the suspicious files yet.



Look at those files and verify for yourself, but I'm pretty sure you

will find they are fine - they exist on Ubuntu installs normally, and

the rkhunter.conf file will have some commented out options that will

whitelist those files for you once you've confirmed they are ok.



Brian*
Yes I read the rkhunter.conf files last night and I saw the options.
Thank you for your help
Meg

PROBLEM SOLVED



--

ubuntu-users mailing list

ubuntu-users@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 04:43 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org