You don't recall the names of some of the files, do you? Whether a
particular file being world-readable is a security problem depends
entirely on which file it is. It is entirely possible that one of your
applications is saving files with this permission. Did this occur
shortly after you started using an application for the first time, or
after you had saved files from an application?
It is by no means clear that your workstation has been compromised, and
I would look more carefully before I did anything so drastic as to
reformat and start over.
You could get a list of *all* world-writeable files with the following
command line:
find / -perm +002 -print
# warning - that could be a lot of files! you might want to redirect
it to a file...
Also, you said that you have a Win98 partition. Look carefully at the
permissions assigned to it. It would not surprise me a whole lot if it
was world-writeable. You might be able to check this with a "mount"
command. not sure, and not on a Linux box right now :-( If that isn't
informative, take a look at the file /etc/fstab and see what options are
used on the win98 partition. You might also check the man page for
mount and see what it says about default settings for vfat partitions.
D. Jones
"J. Craig Woods" wrote:
>
> Daniel Stiefel wrote:
> >
> > A few days ago, I got some KWrited docs popping up on my Mandrake 8.1
> > desktop ("Security warning: World Writeable files found" followed by a long
> > list of files located on both hardrives). I am a linux newbie and assumed
> > the popups were the product of some kind of monitoring utility that I had
> > inadvertently installed.
>
> This is correct, and the installed program doing these checks is a
> program called, by Mandrake, msec.
>
> >
> > Although I have a simple workstation setup (except for the extra partitions
> > and triple boot aspect to it!) and installed 8.1 with medium security, I
> > went
> > back into 8.1's control panel and re-set it to medium security and the
> > Kwrited
> > popups stopped appearing.
>
> With this move, you have "loosened" your security settings. You have
> gone down a level, and this could be okay or it could be a problem for
> you, in terms of security. It depends a lot on other variables, such as
> how you connect to the internet, what other kinds of protection are you
> running (firewall, etc.), and so on.
>
> >
> > >From the lists of files displayed, I assumed my machine had been compromised
> > and that I would have to partition, reformat, reload the win98, mandrake 8.1
> > and Redhat 5.1 partition in order to make things right. I downloaded
> > chkrootkit (and with some help from this group), ran it while booted to the
> > main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed
> > nothing. I'm not sure why that is. I am not familiar with chkrootkit and
> > may have failed to run it so that it searched all of the drives.
>
> How are you running it? We need a little more info on this part of your
> operation.
>
> >
> > Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition?
> > Can that be done from 8.1 on the other drive as I attempted? Does it check
> > comprehensively or does it only check the drive/OS that it is booted to?
>
> Not sure about win98. Have not used it in years but it should work for
> red hat. Again, I need to know more about how you are running it.
>
> >
> > Secondly, is it possible that, despite the KWrited popops that occured on 2
> > different occasions, my machine is unnaffected?
>
> Dan, it is entirely possible that your machine is *not* compromised. The
> listing you were getting is simply telling you that you have directories
> and files that can be executed, read, and changed/deleted by anyone that
> has access to your system. That means these directories are set to 777
> permissions, and these files are set to 666 perms. Are you getting any
> other kind of warnings?
>
> Hope it helps,
>
> --
> J. Craig Woods
> UNIX/NT Network/System Administration
> http://www.trismegistus.net
> "Character is built upon the debris of dispair" --Emerson
>
> ------------------------------------------------------------------------
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
