[SLUG] Ldd report from rkhunter
Dear SLUGGERS, I just got this report from rkhunter on my machine: Warning: The file properties have changed: File: /usr/bin/ldd Current inode: 331476Stored inode: 17196 Current file modification time: 1263451668 Stored file modification time : 1231069314 I see that ldd prints the shared libraries required by each program, but I don't understand why it should have been changed or if I should be worried about it. I ran chkrootkit and it showed no warnings. System is Debian Lenny amd64. What does it all mean? Thanks for help. Alan -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: 04 2748 6206 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter
Hi Alan, You can find what package provides the ldd program, and then verify the integrity of the package. If it really changed I think you should look for any suspicious activity in your server. I think you can find the package with dpkg -S $(which ldd) and you can check its integrity with debsum. ldd shouldn't change, unless you have updated your system. Rodolfo Martínez Dirección de Proyectos Aleux México | http://www.aleux.com On Thu, Jan 21, 2010 at 3:27 PM, Alan L Tyree wrote: > Dear SLUGGERS, > > I just got this report from rkhunter on my machine: > > Warning: The file properties have changed: > File: /usr/bin/ldd > Current inode: 331476 Stored inode: 17196 > Current file modification time: 1263451668 > Stored file modification time : 1231069314 > > > I see that ldd prints the shared libraries required by each program, > but I don't understand why it should have been changed or if I should > be worried about it. > > I ran chkrootkit and it showed no warnings. System is Debian Lenny > amd64. > > What does it all mean? Thanks for help. > > Alan > > > -- > Alan L Tyree http://www2.austlii.edu.au/~alan > Tel: 04 2748 6206 > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter
On Thu, 21 Jan 2010 15:54:01 -0600 Rodolfo Martínez wrote: > Hi Alan, > > You can find what package provides the ldd program, and then verify > the integrity of the package. If it really changed I think you should > look for any suspicious activity in your server. > > I think you can find the package with dpkg -S $(which ldd) and you can > check its integrity with debsum. OK, it is in libc6 and the debsum checked out OK. > > ldd shouldn't change, unless you have updated your system. I accept the regular Lenny security updates. I can't remember if libc6 was one of them or not. Thanks for your help. alan > > > Rodolfo Martínez > Dirección de Proyectos > Aleux México | http://www.aleux.com > > > > On Thu, Jan 21, 2010 at 3:27 PM, Alan L Tyree > wrote: > > Dear SLUGGERS, > > > > I just got this report from rkhunter on my machine: > > > > Warning: The file properties have changed: > > File: /usr/bin/ldd > > Current inode: 331476 Stored inode: 17196 > > Current file modification time: 1263451668 > > Stored file modification time : 1231069314 > > > > > > I see that ldd prints the shared libraries required by each program, > > but I don't understand why it should have been changed or if I > > should be worried about it. > > > > I ran chkrootkit and it showed no warnings. System is Debian Lenny > > amd64. > > > > What does it all mean? Thanks for help. > > > > Alan > > > > > > -- > > Alan L Tyree http://www2.austlii.edu.au/~alan > > Tel: 04 2748 6206 > > > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: 04 2748 6206 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
On Thu, 21 Jan 2010 15:54:01 -0600 Rodolfo Martínez wrote: > Hi Alan, > > You can find what package provides the ldd program, and then verify > the integrity of the package. If it really changed I think you should > look for any suspicious activity in your server. > > I think you can find the package with dpkg -S $(which ldd) and you can > check its integrity with debsum. > > ldd shouldn't change, unless you have updated your system. Just checking the Debian Security site ( http://www.debian.org/security/) I see that it was updated for the amd64 architecture. Thanks for the lesson on how to check out this sort of thing. Cheers, Alan > > Rodolfo Martínez > Dirección de Proyectos > Aleux México | http://www.aleux.com > > > > On Thu, Jan 21, 2010 at 3:27 PM, Alan L Tyree > wrote: > > Dear SLUGGERS, > > > > I just got this report from rkhunter on my machine: > > > > Warning: The file properties have changed: > > File: /usr/bin/ldd > > Current inode: 331476 Stored inode: 17196 > > Current file modification time: 1263451668 > > Stored file modification time : 1231069314 > > > > > > I see that ldd prints the shared libraries required by each program, > > but I don't understand why it should have been changed or if I > > should be worried about it. > > > > I ran chkrootkit and it showed no warnings. System is Debian Lenny > > amd64. > > > > What does it all mean? Thanks for help. > > > > Alan > > > > > > -- > > Alan L Tyree http://www2.austlii.edu.au/~alan > > Tel: 04 2748 6206 > > > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: 04 2748 6206 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
On Fri, Jan 22, 2010 at 09:20:46AM +1100, Alan L Tyree wrote: > On Thu, 21 Jan 2010 15:54:01 -0600 > Rodolfo Martínez wrote: > > > Hi Alan, > > > > You can find what package provides the ldd program, and then verify > > the integrity of the package. If it really changed I think you should > > look for any suspicious activity in your server. > > > > I think you can find the package with dpkg -S $(which ldd) and you can > > check its integrity with debsum. > > > > ldd shouldn't change, unless you have updated your system. > > Just checking the Debian Security site > ( http://www.debian.org/security/) I see that it was updated for the > amd64 architecture. > > Thanks for the lesson on how to check out this sort of thing. > > Cheers, > Alan So everything looks fine. I wonder why rkhunter complained. Doesn't coordinate with the packaging system? Anyway, this reminded me of an interesting article on ldd I read the other day: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Fun Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
Hi Matt, rkhunter creates a database (MD5SUM's) of some files, if they change for any reason, like a system upgrade/update, it will complain about it. rkhunter should be run again to get the new MD5SUM's. This applies for any Host Intruder Detection System (HIDS) (i.e. tripwire, AIDE, etc...). > Anyway, this reminded me of an interesting article on ldd I read the other > day: I did read that article too, but who runs ldd as root? :P Rodolfo Martínez Dirección de Proyectos Aleux México | http://www.aleux.com 2010/1/21 Matthew Hannigan : > On Fri, Jan 22, 2010 at 09:20:46AM +1100, Alan L Tyree wrote: >> On Thu, 21 Jan 2010 15:54:01 -0600 >> Rodolfo Martínez wrote: >> >> > Hi Alan, >> > >> > You can find what package provides the ldd program, and then verify >> > the integrity of the package. If it really changed I think you should >> > look for any suspicious activity in your server. >> > >> > I think you can find the package with dpkg -S $(which ldd) and you can >> > check its integrity with debsum. >> > >> > ldd shouldn't change, unless you have updated your system. >> >> Just checking the Debian Security site >> ( http://www.debian.org/security/) I see that it was updated for the >> amd64 architecture. >> >> Thanks for the lesson on how to check out this sort of thing. >> >> Cheers, >> Alan > > > So everything looks fine. I wonder why rkhunter complained. Doesn't > coordinate with the packaging system? > > Anyway, this reminded me of an interesting article on ldd I read the other > day: > > http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ > > Fun > > Matt > > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
On Thu, Jan 21, 2010 at 05:37:53PM -0600, Rodolfo Martínez wrote: > Hi Matt, > > rkhunter creates a database (MD5SUM's) of some files, if they change > for any reason, like a system upgrade/update, it will complain about > it. rkhunter should be run again to get the new MD5SUM's. This applies > for any Host Intruder Detection System (HIDS) (i.e. tripwire, AIDE, > etc...). Ah, thought so, thanks.I think it would be worthwhile thing for systems like AIDE to remove dpkg/rpm checkable files from its checks. Perhaps as an option. > > Anyway, this reminded me of an interesting article on ldd I read the other > > day: > > I did read that article too, but who runs ldd as root? :P Well, me, until recently :-). But only with 'trusted' but bizarrely behaving apps on solaris. But running as root doesn't really matter. A malicious app could just stick an alias for say sudo in your .bashrc or any number of similar things - it's just the start of a possible penetration. Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
