Re: [libreoffice-users] Re: [3.6] "listening on the network"
Le ven. 17 août 2012 16:44:32 CEST, NoOp a écrit:
> ...
> And from Fedora 17 (rpm)
> LO3.6:
> $ lsof -U | grep soffice
> soffice.b 30094 gg6u unix 0xf4440b40 0t0 116738 socket
> soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742
> /tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7
> soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket
> soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket
> soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket
>
> $ rkhunter --version
> Rootkit Hunter 1.4.0
>
> No warnings regarding anything 'soffice' in the rkhunter logs.
Thanks for your input. Can you confirm that this command doesn't
produce any result related to LibreOffice :
rkhunter --enable packet_cap_apps --report-warnings-only
After investigating a bit more, and running rkhunter in debug mode,
here is what I found :
rkhunter search inodes listed in /proc/net/packet and then search these
inodes in the output of lsof (to get the command which created the
process). But this second search is a simple grep, and can match with
something else than a PID.
In my case, I get :
$ cat /proc/net/packet
sk RefCnt Type Proto Iface R Rmem User Inode
8100bdbe0c00 3 30003 2 1 0 0 8374
This is probably dhclient, but I need to confirm it.
$ lsof -lMnPw -d 1-20 | egrep 8374
# this is the command used by rkhunter
soffice.b 15012 1058 15r REG 8,2 8374 1954680
/opt/libreoffice3.6/program/resource/ofaen-US.res
Here, the inode found in /proc/net/packet match with the size
of ofaen-US.res, not his inode !
The relevant part of the debug logs produced by rkhunter is :
[snip]
+ INODE_LIST=
++ egrep -v '^sk|888e' /proc/net/packet
++ awk '{ print $9 }'
+ for INODE in '`egrep -v '\''^sk|888e'\'' /proc/net/packet | awk '\''{ print
$9 }'\''`'
+ INODE_LIST='|8374'
++ echo '|8374'
++ sed -e 's/^|//'
+ INODE_LIST=8374
[snip]
+ for PID in '`${LSOF_CMD} -lMnPw -d 1-20 | egrep "[](${INODE_LIST})[
]" | awk '\''{ print $2 }'\''`'
+ NAME=
+ '[' -h /proc/15012/exe -a 1 -eq 1 ']'
++ /usr/bin/readlink -f /proc/15012/exe
++ cut '-d ' -f1
+ NAME=/opt/libreoffice3.6/program/soffice.bin
+ test -z /opt/libreoffice3.6/program/soffice.bin
+ AMATCH=1
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /sbin/dhclient ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/bin/dhcpcd ']'
+ for RKHTMPVAR in '${ALLOWPROCLISTENERS}'
+ '[' /opt/libreoffice3.6/program/soffice.bin = /usr/sbin/dhcpd ']'
+ '[' 1 -eq 0 ']'
+ FOUND=1
+ BLACKPROC='
/opt/libreoffice3.6/program/soffice.bin 15012'
[snip]
I'll contact the authors of rkhunter to get confirmation, and
hopefully correction, of this problem.
Thanks again for helping to clarify the situation,
--
Philippe Naudin
--
For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: [3.6] "listening on the network"
On 08/17/2012 01:27 PM, NoOp wrote: > On 08/17/2012 12:04 AM, Philippe Naudin wrote: ... >> Thanks for your reply. I'm using a rpm ;), it is rkhunter-1.4.0-1.el5. > > I'm installing that now on Fedora 17 to test. > >> >> Of course I can get rkhunter silent with something like >> DISABLE_TESTS="hidden_ports" or ALLOWPROCLISTEN="soffice.bin". >> In this case it will not complain about LibreOffice listening on >> the network... even when I open a file with some malware inside. >> >> Can you check the output of this command : >> lsof -U | grep soffice >> >> With LibreOffice-3.5, I get only one line (/tmp/OSL_PIPE_...), but >> with LibreOffice-3.6 I get two more lines, two unix sockets. >> >> Regards, >> > > LO3.5: > $ lsof -U | grep soffice > soffice.b 10636 gg3u unix 0x 0t0 3994910 socket > soffice.b 10636 gg7u unix 0x 0t0 3994914 socket > soffice.b 10636 gg9u unix 0x 0t0 3994918 > /tmp/OSL_PIPE_1000_SingleOfficeIPC_5fb899de7f8c215610dccf91954a6c > soffice.b 10636 gg 12u unix 0x 0t0 3994992 socket > soffice.b 10636 gg 26u unix 0x 0t0 4004457 socket > soffice.b 10636 gg 28u unix 0x 0t0 4004462 socket > soffice.b 10636 gg 29u unix 0x 0t0 4005488 socket > soffice.b 10636 gg 33u unix 0x 0t0 4005654 socket > > LO3.6: > $ lsof -U | grep soffice > soffice.b 10807 gg6u unix 0x 0t0 4079489 socket > soffice.b 10807 gg 10u unix 0x 0t0 4079493 socket > soffice.b 10807 gg 13u unix 0x 0t0 4079497 > /tmp/OSL_PIPE_1000_SingleOfficeIPC_cc556045c3355e1abfd1d44ea4ee4532 > soffice.b 10807 gg 15u unix 0x 0t0 4079499 socket > soffice.b 10807 gg 24u unix 0x 0t0 4079581 socket > soffice.b 10807 gg 26u unix 0x 0t0 4079663 socket > soffice.b 10807 gg 27u unix 0x 0t0 4079762 socket > soffice.b 10807 gg 32u unix 0x 0t0 4079938 socket And from Fedora 17 (rpm) LO3.6: $ lsof -U | grep soffice soffice.b 30094 gg6u unix 0xf4440b40 0t0 116738 socket soffice.b 30094 gg 10u unix 0xf4441d40 0t0 116742 /tmp/OSL_PIPE_1000_SingleOfficeIPC_5d6a40e77981cf59bf3a90df38dfa5f7 soffice.b 30094 gg 27u unix 0xf44406c0 0t0 116776 socket soffice.b 30094 gg 28u unix 0xf4441680 0t0 116778 socket soffice.b 30094 gg 33u unix 0xdb205680 0t0 116782 socket $ rkhunter --version Rootkit Hunter 1.4.0 No warnings regarding anything 'soffice' in the rkhunter logs. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: [3.6] "listening on the network"
On 08/17/2012 12:04 AM, Philippe Naudin wrote: > Le jeu. 16 août 2012 19:38:31 CEST, NoOp a écrit: > ... >> I can't replicate on the deb version with: >> Rootkit Hunter version 1.3.8 >> >> What version of rkhunter & have you: >> rkhunter --update >> to ensure that your rkhunter is up to date? >> >> Version 3.6.0.4 (Build ID: 932b512) >> >> I won't be able to check an rpm version until later - sorry. > > Hi, > > Thanks for your reply. I'm using a rpm ;), it is rkhunter-1.4.0-1.el5. I'm installing that now on Fedora 17 to test. > > Of course I can get rkhunter silent with something like > DISABLE_TESTS="hidden_ports" or ALLOWPROCLISTEN="soffice.bin". > In this case it will not complain about LibreOffice listening on > the network... even when I open a file with some malware inside. > > Can you check the output of this command : > lsof -U | grep soffice > > With LibreOffice-3.5, I get only one line (/tmp/OSL_PIPE_...), but > with LibreOffice-3.6 I get two more lines, two unix sockets. > > Regards, > LO3.5: $ lsof -U | grep soffice soffice.b 10636 gg3u unix 0x 0t0 3994910 socket soffice.b 10636 gg7u unix 0x 0t0 3994914 socket soffice.b 10636 gg9u unix 0x 0t0 3994918 /tmp/OSL_PIPE_1000_SingleOfficeIPC_5fb899de7f8c215610dccf91954a6c soffice.b 10636 gg 12u unix 0x 0t0 3994992 socket soffice.b 10636 gg 26u unix 0x 0t0 4004457 socket soffice.b 10636 gg 28u unix 0x 0t0 4004462 socket soffice.b 10636 gg 29u unix 0x 0t0 4005488 socket soffice.b 10636 gg 33u unix 0x 0t0 4005654 socket LO3.6: $ lsof -U | grep soffice soffice.b 10807 gg6u unix 0x 0t0 4079489 socket soffice.b 10807 gg 10u unix 0x 0t0 4079493 socket soffice.b 10807 gg 13u unix 0x 0t0 4079497 /tmp/OSL_PIPE_1000_SingleOfficeIPC_cc556045c3355e1abfd1d44ea4ee4532 soffice.b 10807 gg 15u unix 0x 0t0 4079499 socket soffice.b 10807 gg 24u unix 0x 0t0 4079581 socket soffice.b 10807 gg 26u unix 0x 0t0 4079663 socket soffice.b 10807 gg 27u unix 0x 0t0 4079762 socket soffice.b 10807 gg 32u unix 0x 0t0 4079938 socket -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-users] Re: [3.6] "listening on the network"
Le jeu. 16 août 2012 19:38:31 CEST, NoOp a écrit: > On 08/16/2012 04:45 AM, Philippe Naudin wrote: > > Hello, > > > > I am using LibreOffice x86_64 on Linux, installed from official rpms. > > Since it got updated to Version 3.6.0.4 (Build ID: 932b512), rkhunter > > whines : > > Checking for packet capturing applications > > Warning: Process '/opt/libreoffice3.6/program/soffice.bin' (PID 15079) is > > listening on the network. > > > > lsof -i doesn't show anything related to soffice, but lsof -U shows : > > COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE > > NAME > > soffice.b 15079 naudin 11u unix 0x8100883b7c80 0t0 352208 > > socket > > X 2924root 44u unix 0x8100883b7980 0t0 352209 > > /tmp/.X11-unix/X0 > > soffice.b 15079 naudin 12u unix 0x8100883b7680 0t0 352210 > > /tmp/OSL_PIPE_1058_SingleOfficeIPC_474aee6e854ee537ef2ad5a42cd51fe9 > > soffice.b 15079 naudin 22u unix 0x8100883b7080 0t0 352223 > > socket > > X 2924root 46u unix 0x8100883b7380 0t0 352224 > > /tmp/.X11-unix/X0 > > > > The same rkhunter has no problem with LibreOffice 3.5.4.2, Build ID: > > 165a79a-7059095-e13bb37-fef39a4-9503d18, also an official rpm for Linux > > x86_64. > > But LibreOffice-3.5 only use one socket, the /tmp/OSL_PIPE one. > > > > Is there a way to turn off these extra sockets in 3.6 ? > > > > Thanks, > > > > I can't replicate on the deb version with: > Rootkit Hunter version 1.3.8 > > What version of rkhunter & have you: > rkhunter --update > to ensure that your rkhunter is up to date? > > Version 3.6.0.4 (Build ID: 932b512) > > I won't be able to check an rpm version until later - sorry. Hi, Thanks for your reply. I'm using a rpm ;), it is rkhunter-1.4.0-1.el5. Of course I can get rkhunter silent with something like DISABLE_TESTS="hidden_ports" or ALLOWPROCLISTEN="soffice.bin". In this case it will not complain about LibreOffice listening on the network... even when I open a file with some malware inside. Can you check the output of this command : lsof -U | grep soffice With LibreOffice-3.5, I get only one line (/tmp/OSL_PIPE_...), but with LibreOffice-3.6 I get two more lines, two unix sockets. Regards, -- Philippe Naudin -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-users] Re: [3.6] "listening on the network"
On 08/16/2012 04:45 AM, Philippe Naudin wrote: > Hello, > > I am using LibreOffice x86_64 on Linux, installed from official rpms. > Since it got updated to Version 3.6.0.4 (Build ID: 932b512), rkhunter > whines : > Checking for packet capturing applications > Warning: Process '/opt/libreoffice3.6/program/soffice.bin' (PID 15079) is > listening on the network. > > lsof -i doesn't show anything related to soffice, but lsof -U shows : > COMMAND PIDUSER FD TYPE DEVICE SIZE/OFF NODE NAME > soffice.b 15079 naudin 11u unix 0x8100883b7c80 0t0 352208 > socket > X 2924root 44u unix 0x8100883b7980 0t0 352209 > /tmp/.X11-unix/X0 > soffice.b 15079 naudin 12u unix 0x8100883b7680 0t0 352210 > /tmp/OSL_PIPE_1058_SingleOfficeIPC_474aee6e854ee537ef2ad5a42cd51fe9 > soffice.b 15079 naudin 22u unix 0x8100883b7080 0t0 352223 > socket > X 2924root 46u unix 0x8100883b7380 0t0 352224 > /tmp/.X11-unix/X0 > > The same rkhunter has no problem with LibreOffice 3.5.4.2, Build ID: > 165a79a-7059095-e13bb37-fef39a4-9503d18, also an official rpm for Linux > x86_64. > But LibreOffice-3.5 only use one socket, the /tmp/OSL_PIPE one. > > Is there a way to turn off these extra sockets in 3.6 ? > > Thanks, > I can't replicate on the deb version with: Rootkit Hunter version 1.3.8 What version of rkhunter & have you: rkhunter --update to ensure that your rkhunter is up to date? Version 3.6.0.4 (Build ID: 932b512) I won't be able to check an rpm version until later - sorry. -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
