Daniel Stiefel wrote:
>
> A few days ago, I got some KWrited docs popping up on my Mandrake 8.1
> desktop ("Security warning: World Writeable files found" followed by a long
> list of files located on both hardrives). I am a linux newbie and assumed
> the popups were the product of some kind of monitoring utility that I had
> inadvertently installed.
This is correct, and the installed program doing these checks is a
program called, by Mandrake, msec.
>
> Although I have a simple workstation setup (except for the extra partitions
> and triple boot aspect to it!) and installed 8.1 with medium security, I
> went
> back into 8.1's control panel and re-set it to medium security and the
> Kwrited
> popups stopped appearing.
With this move, you have "loosened" your security settings. You have
gone down a level, and this could be okay or it could be a problem for
you, in terms of security. It depends a lot on other variables, such as
how you connect to the internet, what other kinds of protection are you
running (firewall, etc.), and so on.
>
> >From the lists of files displayed, I assumed my machine had been compromised
> and that I would have to partition, reformat, reload the win98, mandrake 8.1
> and Redhat 5.1 partition in order to make things right. I downloaded
> chkrootkit (and with some help from this group), ran it while booted to the
> main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed
> nothing. I'm not sure why that is. I am not familiar with chkrootkit and
> may have failed to run it so that it searched all of the drives.
How are you running it? We need a little more info on this part of your
operation.
>
> Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition?
> Can that be done from 8.1 on the other drive as I attempted? Does it check
> comprehensively or does it only check the drive/OS that it is booted to?
Not sure about win98. Have not used it in years but it should work for
red hat. Again, I need to know more about how you are running it.
>
> Secondly, is it possible that, despite the KWrited popops that occured on 2
> different occasions, my machine is unnaffected?
Dan, it is entirely possible that your machine is *not* compromised. The
listing you were getting is simply telling you that you have directories
and files that can be executed, read, and changed/deleted by anyone that
has access to your system. That means these directories are set to 777
permissions, and these files are set to 666 perms. Are you getting any
other kind of warnings?
Hope it helps,
--
J. Craig Woods
UNIX/NT Network/System Administration
http://www.trismegistus.net
"Character is built upon the debris of dispair" --Emerson
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
