Re: [expert] Chkrootkit shows nothing ??
Dan, The messages about "world writeable files" are from Mandrake Security (better known as /usr/sbin/msec). The first time it runs, it tells you about all the anomalies it detects - unusual file permision, etc. After that, each time it runs it compares what it finds (today) to what it found yesterday. If there are differences, it will report them. Look in /var/log/security to see the "today" and "yesterday" fils. David Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Chkrootkit shows nothing ??
I have a pretty plausible guess for what is going on, and it is not a compromise. First, all the files in /usr/share/apps/kcsd/cddb are related to the CD player that comes with KDE. (that's the kscd part.) CDDB is a database of track information on lots of CDs that can be accessed over the 'net. kscd uses it to provide you with the names of the tracks, etc, when you play a CD. If it doesn't already have the info it downloads it. It looks to me like kscd is saving these in world-writeable files. This would only be suspicious if (for instance) * the files are new and you haven't been using kscd * the files are executables * the files are suid (cleaned up some of the many quoted sections a bit) Regarding the "User Unowned files found:" > /RH51data_hdb1/stiefeld/gnome (stiefeld is me) I note that this is on your RH partition. You might check and see what your UID is on RH versus Mandrake. If it is not the same then when Mandrake looks at RH (and vice versa) the UID will not be recognized and this error could be generated. To check this just do an ls -l If the OS recognizes the UID then the user name will appear, otherwise is will display the UID number. This is something to remember when setting up accounts on multiboot systems! You *can* specify the UID, and if they are the same on all the *nix systems that will see the partition, so much the better. db wrote: > > > No, the file listings just looked suspicious. Things like: > /usr/share/apps/kcsd/cddb/blues > /usr/share/apps/kcsd/cddb/classical > /usr/share/apps/kcsd/cddb/country > /usr/share/apps/kcsd/cddb/data > /usr/share/apps/kcsd/cddb/folk > /usr/share/Abisuite/fonts/s051.u2g > > etc. > > Also some Security Warnings for "User Unowned files found:" > /RH51data_hdb1/stiefeld/gnome (stiefeld is me) > > etc. ? > > > Hope it helps, > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Chkrootkit shows nothing ??
> Daniel Stiefel wrote:
> >
> > A few days ago, I got some KWrited docs popping up on my Mandrake 8.1
> > desktop ("Security warning: World Writeable files found" followed by a
long
> > list of files located on both hardrives). I am a linux newbie and
assumed
> > the popups were the product of some kind of monitoring utility that I
had
> > inadvertently installed.
>
> This is correct, and the installed program doing these checks is a
> program called, by Mandrake, msec.
Yes, I remember installing that.
> > Although I have a simple workstation setup (except for the extra
partitions
> > and triple boot aspect to it!) and installed 8.1 with medium security, I
> > went
> > back into 8.1's control panel and re-set it to medium security and the
> > Kwrited
> > popups stopped appearing.
>
> With this move, you have "loosened" your security settings. You have
> gone down a level, and this could be okay or it could be a problem for
> you, in terms of security. It depends a lot on other variables, such as
> how you connect to the internet, what other kinds of protection are you
> running (firewall, etc.), and so on.
Ok, I went back in and set the security level up to high. (And plugged the
network cable back in.)
> > >From the lists of files displayed, I assumed my machine had been
compromised
> > and that I would have to partition, reformat, reload the win98, mandrake
8.1
> > and Redhat 5.1 partition in order to make things right. I downloaded
> > chkrootkit (and with some help from this group), ran it while booted to
the
> > main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed
> > nothing. I'm not sure why that is. I am not familiar with chkrootkit
and
> > may have failed to run it so that it searched all of the drives.
>
> How are you running it? We need a little more info on this part of your
> operation.
>From the Mandrake 8.1 partition on my primary drive (which also contains
win98SE) logged on as a user, I su-ed to a folder on my desktop where I had
downloaded chkrootkit, untarred it in a second directory and then changed
into that directory, used the make command and then the chkrootkit command.
It reported no problems. (I also have a slave drive with RH 5.1 which boots
to a boot floppy (the whole reason for this setup ... we need 5.1 to run a
deadended legacy app and Mandrake 8.1 to run a cdburner for outputting the
apps data...). Am not sure if it was checked
> > Can anyone tell me how to run it to seach RH 5.1 or the win98SE
partition?
> > Can that be done from 8.1 on the other drive as I attempted? Does it
check
> > comprehensively or does it only check the drive/OS that it is booted to?
>
> Not sure about win98. Have not used it in years but it should work for
> red hat. Again, I need to know more about how you are running it.
>
> >
> > Secondly, is it possible that, despite the KWrited popops that occured
on 2
> > different occasions, my machine is unnaffected?
>
> Dan, it is entirely possible that your machine is *not* compromised. The
> listing you were getting is simply telling you that you have directories
> and files that can be executed, read, and changed/deleted by anyone that
> has access to your system. That means these directories are set to 777
> permissions, and these files are set to 666 perms. Are you getting any
> other kind of warnings?
No, the file listings just looked suspicious. Things like:
/usr/share/apps/kcsd/cddb/blues
/usr/share/apps/kcsd/cddb/classical
/usr/share/apps/kcsd/cddb/country
/usr/share/apps/kcsd/cddb/data
/usr/share/apps/kcsd/cddb/folk
/usr/share/Abisuite/fonts/s051.u2g
etc.
Also some Security Warnings for "User Unowned files found:"
/RH51data_hdb1/stiefeld/gnome (stiefeld is me)
etc. ?
> Hope it helps,
It helps TONS! When you know just a little, it's dangerous. Easy to
misinterpret things. All your inputs really help me get oriented. When I
read books/ webinfo, typically it is for generic situations and not directly
applicable to my particular twisted situation...
Thanks
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Chkrootkit shows nothing ??
You don't recall the names of some of the files, do you? Whether a
particular file being world-readable is a security problem depends
entirely on which file it is. It is entirely possible that one of your
applications is saving files with this permission. Did this occur
shortly after you started using an application for the first time, or
after you had saved files from an application?
It is by no means clear that your workstation has been compromised, and
I would look more carefully before I did anything so drastic as to
reformat and start over.
You could get a list of *all* world-writeable files with the following
command line:
find / -perm +002 -print
# warning - that could be a lot of files! you might want to redirect
it to a file...
Also, you said that you have a Win98 partition. Look carefully at the
permissions assigned to it. It would not surprise me a whole lot if it
was world-writeable. You might be able to check this with a "mount"
command. not sure, and not on a Linux box right now :-( If that isn't
informative, take a look at the file /etc/fstab and see what options are
used on the win98 partition. You might also check the man page for
mount and see what it says about default settings for vfat partitions.
D. Jones
"J. Craig Woods" wrote:
>
> Daniel Stiefel wrote:
> >
> > A few days ago, I got some KWrited docs popping up on my Mandrake 8.1
> > desktop ("Security warning: World Writeable files found" followed by a long
> > list of files located on both hardrives). I am a linux newbie and assumed
> > the popups were the product of some kind of monitoring utility that I had
> > inadvertently installed.
>
> This is correct, and the installed program doing these checks is a
> program called, by Mandrake, msec.
>
> >
> > Although I have a simple workstation setup (except for the extra partitions
> > and triple boot aspect to it!) and installed 8.1 with medium security, I
> > went
> > back into 8.1's control panel and re-set it to medium security and the
> > Kwrited
> > popups stopped appearing.
>
> With this move, you have "loosened" your security settings. You have
> gone down a level, and this could be okay or it could be a problem for
> you, in terms of security. It depends a lot on other variables, such as
> how you connect to the internet, what other kinds of protection are you
> running (firewall, etc.), and so on.
>
> >
> > >From the lists of files displayed, I assumed my machine had been compromised
> > and that I would have to partition, reformat, reload the win98, mandrake 8.1
> > and Redhat 5.1 partition in order to make things right. I downloaded
> > chkrootkit (and with some help from this group), ran it while booted to the
> > main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed
> > nothing. I'm not sure why that is. I am not familiar with chkrootkit and
> > may have failed to run it so that it searched all of the drives.
>
> How are you running it? We need a little more info on this part of your
> operation.
>
> >
> > Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition?
> > Can that be done from 8.1 on the other drive as I attempted? Does it check
> > comprehensively or does it only check the drive/OS that it is booted to?
>
> Not sure about win98. Have not used it in years but it should work for
> red hat. Again, I need to know more about how you are running it.
>
> >
> > Secondly, is it possible that, despite the KWrited popops that occured on 2
> > different occasions, my machine is unnaffected?
>
> Dan, it is entirely possible that your machine is *not* compromised. The
> listing you were getting is simply telling you that you have directories
> and files that can be executed, read, and changed/deleted by anyone that
> has access to your system. That means these directories are set to 777
> permissions, and these files are set to 666 perms. Are you getting any
> other kind of warnings?
>
> Hope it helps,
>
> --
> J. Craig Woods
> UNIX/NT Network/System Administration
> http://www.trismegistus.net
> "Character is built upon the debris of dispair" --Emerson
>
>
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Chkrootkit shows nothing ??
Daniel Stiefel wrote:
>
> A few days ago, I got some KWrited docs popping up on my Mandrake 8.1
> desktop ("Security warning: World Writeable files found" followed by a long
> list of files located on both hardrives). I am a linux newbie and assumed
> the popups were the product of some kind of monitoring utility that I had
> inadvertently installed.
This is correct, and the installed program doing these checks is a
program called, by Mandrake, msec.
>
> Although I have a simple workstation setup (except for the extra partitions
> and triple boot aspect to it!) and installed 8.1 with medium security, I
> went
> back into 8.1's control panel and re-set it to medium security and the
> Kwrited
> popups stopped appearing.
With this move, you have "loosened" your security settings. You have
gone down a level, and this could be okay or it could be a problem for
you, in terms of security. It depends a lot on other variables, such as
how you connect to the internet, what other kinds of protection are you
running (firewall, etc.), and so on.
>
> >From the lists of files displayed, I assumed my machine had been compromised
> and that I would have to partition, reformat, reload the win98, mandrake 8.1
> and Redhat 5.1 partition in order to make things right. I downloaded
> chkrootkit (and with some help from this group), ran it while booted to the
> main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed
> nothing. I'm not sure why that is. I am not familiar with chkrootkit and
> may have failed to run it so that it searched all of the drives.
How are you running it? We need a little more info on this part of your
operation.
>
> Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition?
> Can that be done from 8.1 on the other drive as I attempted? Does it check
> comprehensively or does it only check the drive/OS that it is booted to?
Not sure about win98. Have not used it in years but it should work for
red hat. Again, I need to know more about how you are running it.
>
> Secondly, is it possible that, despite the KWrited popops that occured on 2
> different occasions, my machine is unnaffected?
Dan, it is entirely possible that your machine is *not* compromised. The
listing you were getting is simply telling you that you have directories
and files that can be executed, read, and changed/deleted by anyone that
has access to your system. That means these directories are set to 777
permissions, and these files are set to 666 perms. Are you getting any
other kind of warnings?
Hope it helps,
--
J. Craig Woods
UNIX/NT Network/System Administration
http://www.trismegistus.net
"Character is built upon the debris of dispair" --Emerson
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
