I don't have /sbin/dump; /sbin/restore and /usr/bin/sperl5.6.0 installed. Other
than that, all files in the following list are suid.
> Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
> Security Warning: Change in Suid Root files found :
> - Added suid root files : /bin/mount
> - Added suid root files : /bin/ping
> - Added suid root files : /bin/su
> - Added suid root files : /bin/umount
> - Added suid root files : /sbin/dump
> - Added suid root files : /sbin/pwdb_chkpwd
> - Added suid root files : /sbin/restore
> - Added suid root files : /usr/X11R6/bin/Xwrapper
> - Added suid root files : /usr/bin/at
> - Added suid root files : /usr/bin/chage
> - Added suid root files : /usr/bin/chfn
> - Added suid root files : /usr/bin/chsh
> - Added suid root files : /usr/bin/crontab
> - Added suid root files : /usr/bin/dos
> - Added suid root files : /usr/bin/gpasswd
> - Added suid root files : /usr/bin/lpq
> - Added suid root files : /usr/bin/lpr
> - Added suid root files : /usr/bin/lprm
> - Added suid root files : /usr/bin/newgrp
> - Added suid root files : /usr/bin/passwd
> - Added suid root files : /usr/bin/procmail
> - Added suid root files : /usr/bin/rcp
> - Added suid root files : /usr/bin/rlogin
> - Added suid root files : /usr/bin/rsh
> - Added suid root files : /usr/bin/sperl5.6.0
> - Added suid root files : /usr/bin/suidperl
> - Added suid root files : /usr/bin/urpmi
> - Added suid root files : /usr/lib/telnetd/login
> - Added suid root files : /usr/libexec/pt_chown
> - Added suid root files : /usr/sbin/sendmail
> - Added suid root files : /usr/sbin/traceroute
> - Added suid root files : /usr/sbin/userhelper
> - Added suid root files : /usr/sbin/usernetctl
>
Yup, group suid also.
> Security Warning: Changes in Suid Group files found :
> - Added suid group files : /usr/sbin/sendmail
>
Nothing to worry about; world writable files in /tmp/ are pretty common. They're
temp files anyway, so probably by the time you read the security check mail, the
file doesn't exist anymore.
> Security Warning: Change in World Writeable Files found :
> - Removed writables files : /tmp/fileUcAjVM
>
Ok, I don't know why the hell this file would change checksum. Perhaps you
reinstalled or perhaps the old checksum got corrupted.
> Security Warning: the md5 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to put in a
> backdoor...
> - Checksum changed files : /usr/bin/suidperl
>
I don't know which ports do what, but I always get this kind of crap also, so I
don't really believe it's much to worry about. I just deleted my own security
check mails, so I can't compare. And I don't really feel like running it right
now since it takes ages on this nearly full harddrive of mine... If it really
bothers you, I'll run the security check and send you the results.
> Security Warning: There is modifications for port listening on your machine :
> - Opened ports : tcp 0 0 *:6000 *:*
> LISTEN 658/X
> - Opened ports : tcp 0 0 *:1024 *:*
> LISTEN 651/kdm
> - Opened ports : tcp 0 0 *:10000 *:*
> LISTEN 586/perl
> - Opened ports : tcp 0 0 *:www *:*
> LISTEN 520/httpd
> - Opened ports : udp 0 0 *:xdmcp *:*
> 651/kdm
> - Opened ports : udp 0 0 *:10000 *:*
> 586/perl
> - Closed ports : tcp 0 0 *:www *:*
> LISTEN 3244/httpd
> - Closed ports : tcp 0 0 *:10000 *:*
> LISTEN 1996/perl
> - Closed ports : tcp 0 0 *:6000 *:*
> LISTEN 660/X
> - Closed ports : tcp 0 0 *:1024 *:*
> LISTEN 653/kdm
> - Closed ports : udp 0 0 *:10000 *:*
Ok, this is strange... Perl listening on a port, or how do I interpret this? Add
this to the fact that suidperl has changed md5 checksum, and here's a
possibillity of something that isn't quite the way it should be...
> 1996/perl
> - Closed ports : udp 0 0 *:xdmcp *:*
> 653/kdm
>
> ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> to I prevent it from happening again?
Well, I don't think you've been hacked, but I can't completely rule out the
possibillity. The perl-thing bugs me...
Perhaps you _were_ hacked, the hacker changed the file /usr/bin/suidperl to
something that listens on a port, or spawns a daemon to listen on a port, and in
order to erase his traces deleted the security check file. This would explain
why all these bogus errors appear in your mail. Perhaps he didn't realise that
you'd get all those bogus error messages, alerting you something went wrong, or
perhaps he counted on it that you'd believe it was nothing after all, since
these files _should be_ suid, and that you'd overlook the /usr/bin/suidperl
later on in the security report.
I'm not sure what it is. If you want to play it on the safe side, reinstall. It
might be nothing, but it's up to you to decide if you're willing to take that
risk or not.
--
Rial Juan <http://nighty.ulyssis.org>
e-mail: [EMAIL PROTECTED]
Belgium tel: (++32) 89/856533
ulyssis system admininstrator <http://www.ulyssis.org>
The little critters in nature; they don't know they're ugly.
That's very funny... A fly marying a bumble-bee...
------------------------------------------------------------
Sign the petition at http://www.libranet.com/petition.html
Help bring us more Linux Drivers
