On Sun Apr 21, 2002 at 11:01:50AM +0900, Gavin wrote: > I did an update from a clean install (running Mandrake linux8.0) and this is > what I got back the next morning. > > Security Warning: Change in Suid Root files found : > - Added suid root files : /usr/lib/squid/pam_auth > > Security Warning: Changes in Suid Group files found : > - Added suid group files : /usr/lib/squid/pam_auth > - Removed suid group files : /usr/bin/gpg > > Security Warning: the md5 checksum for one of your SUID files has changed, > maybe an intruder modified one of these suid binary in order to put in a > backdoor... > - Checksum changed files : /usr/bin/crontab > - Checksum changed files : /usr/bin/gpg > - Checksum changed files : /usr/bin/procmail > - Checksum changed files : /usr/bin/ssh > - Checksum changed files : /usr/bin/sudo > - Checksum changed files : /usr/libexec/pt_chown > - Checksum changed files : /usr/sbin/pppd > > Question, what are some of the reasons besides the obvious (being rooted or > backdoor setup) I would get this and how do I correct this problem with > reloading the whole system AGAIN if possible. This is the Fifth time I've got > this message and I'm using Mandrake update, I thought Mandrake update > checked for these types of problems.
MandrakeUpdate checks to make sure GPG signatures are intact. It doesn't protect against modified files (ie. backdoors/trojans setup outside of MandrakeUpdate). Also, MandrakeUpdate makes sure that a GPG signature is not bad... ie. if you have a renegade key installed, and a package is signed with that renegade key, MU will not complain. These changes, however, are from updates. For instance, you probably updated gpg and pppd packages, to name two. Of course the checksum will change... these are updated packages. So what msec is doing is letting you know that this stuff has changed... it's up to you to realize that yes, you did update gpg the night before, and you also updated pppd, sudo, etc. These changes are false positivies... they have changed, but *you* changed them when you did the updates. > I live in Japan, using a dial-up connection, could this be a problem?? just > asking. > GOD BLESS YOU ALL and thank you for your help. If any of these files are *not* a part of a package you updated, then you have cause for concern. If all of them are parts of packages you updated with MU, then you shouldn't be worried. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.18-6mdk uptime: 6 days 1 hour 54 minutes.
msg52908/pgp00000.pgp
Description: PGP signature
