Re: [SLUG] Ldd report from rkhunter - Update
On Thu, 21 Jan 2010 15:54:01 -0600 Rodolfo Martínez rmt...@gmail.com wrote: Hi Alan, You can find what package provides the ldd program, and then verify the integrity of the package. If it really changed I think you should look for any suspicious activity in your server. I think you can find the package with dpkg -S $(which ldd) and you can check its integrity with debsum. ldd shouldn't change, unless you have updated your system. Just checking the Debian Security site ( http://www.debian.org/security/) I see that it was updated for the amd64 architecture. Thanks for the lesson on how to check out this sort of thing. Cheers, Alan Rodolfo Martínez Dirección de Proyectos Aleux México | http://www.aleux.com On Thu, Jan 21, 2010 at 3:27 PM, Alan L Tyree a...@austlii.edu.au wrote: Dear SLUGGERS, I just got this report from rkhunter on my machine: Warning: The file properties have changed: File: /usr/bin/ldd Current inode: 331476 Stored inode: 17196 Current file modification time: 1263451668 Stored file modification time : 1231069314 I see that ldd prints the shared libraries required by each program, but I don't understand why it should have been changed or if I should be worried about it. I ran chkrootkit and it showed no warnings. System is Debian Lenny amd64. What does it all mean? Thanks for help. Alan -- Alan L Tyree http://www2.austlii.edu.au/~alan Tel: 04 2748 6206 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: 04 2748 6206 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
On Fri, Jan 22, 2010 at 09:20:46AM +1100, Alan L Tyree wrote: On Thu, 21 Jan 2010 15:54:01 -0600 Rodolfo Martínez rmt...@gmail.com wrote: Hi Alan, You can find what package provides the ldd program, and then verify the integrity of the package. If it really changed I think you should look for any suspicious activity in your server. I think you can find the package with dpkg -S $(which ldd) and you can check its integrity with debsum. ldd shouldn't change, unless you have updated your system. Just checking the Debian Security site ( http://www.debian.org/security/) I see that it was updated for the amd64 architecture. Thanks for the lesson on how to check out this sort of thing. Cheers, Alan So everything looks fine. I wonder why rkhunter complained. Doesn't coordinate with the packaging system? Anyway, this reminded me of an interesting article on ldd I read the other day: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Fun Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
Hi Matt, rkhunter creates a database (MD5SUM's) of some files, if they change for any reason, like a system upgrade/update, it will complain about it. rkhunter should be run again to get the new MD5SUM's. This applies for any Host Intruder Detection System (HIDS) (i.e. tripwire, AIDE, etc...). Anyway, this reminded me of an interesting article on ldd I read the other day: I did read that article too, but who runs ldd as root? :P Rodolfo Martínez Dirección de Proyectos Aleux México | http://www.aleux.com 2010/1/21 Matthew Hannigan m...@zip.com.au: On Fri, Jan 22, 2010 at 09:20:46AM +1100, Alan L Tyree wrote: On Thu, 21 Jan 2010 15:54:01 -0600 Rodolfo Martínez rmt...@gmail.com wrote: Hi Alan, You can find what package provides the ldd program, and then verify the integrity of the package. If it really changed I think you should look for any suspicious activity in your server. I think you can find the package with dpkg -S $(which ldd) and you can check its integrity with debsum. ldd shouldn't change, unless you have updated your system. Just checking the Debian Security site ( http://www.debian.org/security/) I see that it was updated for the amd64 architecture. Thanks for the lesson on how to check out this sort of thing. Cheers, Alan So everything looks fine. I wonder why rkhunter complained. Doesn't coordinate with the packaging system? Anyway, this reminded me of an interesting article on ldd I read the other day: http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Fun Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Ldd report from rkhunter - Update
On Thu, Jan 21, 2010 at 05:37:53PM -0600, Rodolfo Martínez wrote: Hi Matt, rkhunter creates a database (MD5SUM's) of some files, if they change for any reason, like a system upgrade/update, it will complain about it. rkhunter should be run again to get the new MD5SUM's. This applies for any Host Intruder Detection System (HIDS) (i.e. tripwire, AIDE, etc...). Ah, thought so, thanks.I think it would be worthwhile thing for systems like AIDE to remove dpkg/rpm checkable files from its checks. Perhaps as an option. Anyway, this reminded me of an interesting article on ldd I read the other day: I did read that article too, but who runs ldd as root? :P Well, me, until recently :-). But only with 'trusted' but bizarrely behaving apps on solaris. But running as root doesn't really matter. A malicious app could just stick an alias for say sudo in your .bashrc or any number of similar things - it's just the start of a possible penetration. Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html