Yesterday, I installed ImageMagick (a graphics processing package) on a CentOS
5 box, using 'yum'.
I also used setuid experimentally on a couple of shell scripts, which I then
removed.
Today, rkhunter is advising me that the file properties for:
sulogin
csh
login
tcsh
groupadd
groupdel
groupmod
grpck
pwck
lastlog
newgrp
passwd
perl
have been changed, and a new user and group 'xfs' has been created.
'xfs' is associated with the X Font Server used by ImageMagick (which has a
list of dependencies as long as your arm), but the changes to the system files
are, quite frankly, scary.
Does anyone know whether these changes could legitimately have been triggered
by either (a) installing ImageMagick, or (b) using setuid for the first time?
Or has installing ImageMagick opened a vulnerability that has been promptly
exploited by some ingenious hacker?
Thanks in advance for any advice or reassurance,
Angus
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
