> Daniel Stiefel wrote:
> >
> > A few days ago, I got some KWrited docs popping up on my Mandrake 8.1
> > desktop ("Security warning: World Writeable files found" followed by a
long
> > list of files located on both hardrives). I am a linux newbie and
assumed
> > the popups were the product of some kind of monitoring utility that I
had
> > inadvertently installed.
>
> This is correct, and the installed program doing these checks is a
> program called, by Mandrake, msec.
Yes, I remember installing that.
> > Although I have a simple workstation setup (except for the extra
partitions
> > and triple boot aspect to it!) and installed 8.1 with medium security, I
> > went
> > back into 8.1's control panel and re-set it to medium security and the
> > Kwrited
> > popups stopped appearing.
>
> With this move, you have "loosened" your security settings. You have
> gone down a level, and this could be okay or it could be a problem for
> you, in terms of security. It depends a lot on other variables, such as
> how you connect to the internet, what other kinds of protection are you
> running (firewall, etc.), and so on.
Ok, I went back in and set the security level up to high. (And plugged the
network cable back in.)
> > >From the lists of files displayed, I assumed my machine had been
compromised
> > and that I would have to partition, reformat, reload the win98, mandrake
8.1
> > and Redhat 5.1 partition in order to make things right. I downloaded
> > chkrootkit (and with some help from this group), ran it while booted to
the
> > main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed
> > nothing. I'm not sure why that is. I am not familiar with chkrootkit
and
> > may have failed to run it so that it searched all of the drives.
>
> How are you running it? We need a little more info on this part of your
> operation.
>From the Mandrake 8.1 partition on my primary drive (which also contains
win98SE) logged on as a user, I su-ed to a folder on my desktop where I had
downloaded chkrootkit, untarred it in a second directory and then changed
into that directory, used the make command and then the chkrootkit command.
It reported no problems. (I also have a slave drive with RH 5.1 which boots
to a boot floppy (the whole reason for this setup ... we need 5.1 to run a
deadended legacy app and Mandrake 8.1 to run a cdburner for outputting the
apps data...). Am not sure if it was checked
> > Can anyone tell me how to run it to seach RH 5.1 or the win98SE
partition?
> > Can that be done from 8.1 on the other drive as I attempted? Does it
check
> > comprehensively or does it only check the drive/OS that it is booted to?
>
> Not sure about win98. Have not used it in years but it should work for
> red hat. Again, I need to know more about how you are running it.
>
> >
> > Secondly, is it possible that, despite the KWrited popops that occured
on 2
> > different occasions, my machine is unnaffected?
>
> Dan, it is entirely possible that your machine is *not* compromised. The
> listing you were getting is simply telling you that you have directories
> and files that can be executed, read, and changed/deleted by anyone that
> has access to your system. That means these directories are set to 777
> permissions, and these files are set to 666 perms. Are you getting any
> other kind of warnings?
No, the file listings just looked suspicious. Things like:
/usr/share/apps/kcsd/cddb/blues
/usr/share/apps/kcsd/cddb/classical
/usr/share/apps/kcsd/cddb/country
/usr/share/apps/kcsd/cddb/data
/usr/share/apps/kcsd/cddb/folk
/usr/share/Abisuite/fonts/s0500001.u2g
etc.
Also some Security Warnings for "User Unowned files found:"
/RH51data_hdb1/stiefeld/gnome (stiefeld is me)
etc. ?
> Hope it helps,
It helps TONS! When you know just a little, it's dangerous. Easy to
misinterpret things. All your inputs really help me get oriented. When I
read books/ webinfo, typically it is for generic situations and not directly
applicable to my particular twisted situation...
Thanks
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
