> Daniel Stiefel wrote: > > > > A few days ago, I got some KWrited docs popping up on my Mandrake 8.1 > > desktop ("Security warning: World Writeable files found" followed by a long > > list of files located on both hardrives). I am a linux newbie and assumed > > the popups were the product of some kind of monitoring utility that I had > > inadvertently installed. > > This is correct, and the installed program doing these checks is a > program called, by Mandrake, msec.
Yes, I remember installing that. > > Although I have a simple workstation setup (except for the extra partitions > > and triple boot aspect to it!) and installed 8.1 with medium security, I > > went > > back into 8.1's control panel and re-set it to medium security and the > > Kwrited > > popups stopped appearing. > > With this move, you have "loosened" your security settings. You have > gone down a level, and this could be okay or it could be a problem for > you, in terms of security. It depends a lot on other variables, such as > how you connect to the internet, what other kinds of protection are you > running (firewall, etc.), and so on. Ok, I went back in and set the security level up to high. (And plugged the network cable back in.) > > >From the lists of files displayed, I assumed my machine had been compromised > > and that I would have to partition, reformat, reload the win98, mandrake 8.1 > > and Redhat 5.1 partition in order to make things right. I downloaded > > chkrootkit (and with some help from this group), ran it while booted to the > > main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed > > nothing. I'm not sure why that is. I am not familiar with chkrootkit and > > may have failed to run it so that it searched all of the drives. > > How are you running it? We need a little more info on this part of your > operation. >From the Mandrake 8.1 partition on my primary drive (which also contains win98SE) logged on as a user, I su-ed to a folder on my desktop where I had downloaded chkrootkit, untarred it in a second directory and then changed into that directory, used the make command and then the chkrootkit command. It reported no problems. (I also have a slave drive with RH 5.1 which boots to a boot floppy (the whole reason for this setup ... we need 5.1 to run a deadended legacy app and Mandrake 8.1 to run a cdburner for outputting the apps data...). Am not sure if it was checked > > Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition? > > Can that be done from 8.1 on the other drive as I attempted? Does it check > > comprehensively or does it only check the drive/OS that it is booted to? > > Not sure about win98. Have not used it in years but it should work for > red hat. Again, I need to know more about how you are running it. > > > > > Secondly, is it possible that, despite the KWrited popops that occured on 2 > > different occasions, my machine is unnaffected? > > Dan, it is entirely possible that your machine is *not* compromised. The > listing you were getting is simply telling you that you have directories > and files that can be executed, read, and changed/deleted by anyone that > has access to your system. That means these directories are set to 777 > permissions, and these files are set to 666 perms. Are you getting any > other kind of warnings? No, the file listings just looked suspicious. Things like: /usr/share/apps/kcsd/cddb/blues /usr/share/apps/kcsd/cddb/classical /usr/share/apps/kcsd/cddb/country /usr/share/apps/kcsd/cddb/data /usr/share/apps/kcsd/cddb/folk /usr/share/Abisuite/fonts/s0500001.u2g etc. Also some Security Warnings for "User Unowned files found:" /RH51data_hdb1/stiefeld/gnome (stiefeld is me) etc. ? > Hope it helps, It helps TONS! When you know just a little, it's dangerous. Easy to misinterpret things. All your inputs really help me get oriented. When I read books/ webinfo, typically it is for generic situations and not directly applicable to my particular twisted situation... Thanks
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com