[Novalug] rkhunter : is it to worry??
beartooth at Beartooth.Info
Tue Jun 9 11:35:31 EDT 2009
On Mon, 8 Jun 2009, Scott Musman wrote:
> 2). There are a number of legitimate reasons why xinetd could be on. If
> it worries you, turn it off.
I meant to ask about that.
I turned it on, and set it to launch on boot, years ago.
Privoxy seems to require it, or used to. At least, whenever any
browser can't connect, system-config-services usually shows
either that privoxy has stopped, or that xinetd has. Then
starting one or both fixes things.
What's wrong with it??
> 3). The sabayon account might be suspicious, but it is most
> probably a result of checking the box "User Profile Editor" in
> Ubuntu's 'Add/Remove Applications'. To remove it, simply
> UN-check the entry and click 'apply changes'.
I run Fedora, not Ubuntu, unless I have to for some
reason. All I know about sabayon is that the description in
PackageKit made it sound useful -- but I haven't gotten around to
trying it yet, or even finding out what it is ...
> 4). Not sure about that latest versions of things, but rkhunter has some
> old fashioned ideas about bin files that it thinks should be binaries,
> and will tend to complain if they've been turned into scripts. How old
> is the version of rkhunter.. Probably older than the OS release..
[btth at Hbsk2 network-scripts]$ rpm -q rkhunter
[btth at Hbsk2 network-scripts]$
I do updates every day or three; so that is pretty sure
to be the latest in the Fedora repos.
> As for checking the machine, mainly you should do some manual
> checking of login, logouts, network services that you wouldn't
> expect to be there using lsof, and just basically look for
> suspicious things.
Eee-yowww! Is there a beginner's guide to lsof? That
output is vast beyond my imagining, and I have no idea what it's
telling me; but the man page loses me almost at once -- classic
example of something written for those who already know, and just
want to check some detail. Even just a legend saying what each
column is would help.
> You probably know more about what that machine "should" be
> doing, and who should be accessing it from where, and would be
> able to find anomalies that no script could find. If all that
> checks out, look for signs of log tampering. Things like large
> gaps in the timestamps, missing reboot messages, etc.
The column showing what look to be userids is mostly btth
(me) or root, with a few of what I think are standard daemons;
but lots of the things in the first column (process names??) are
unfamiliar, and lots get dozens of lines ...
Also, for aught I know, some nogoodnik might be
pretending to be btth.
The bottom line contains "(7178,1) 100%" -- but I have no
idea what it's counting, what the units are, nor where to find
the ballpark it ought to be in.
> BTW. What happened on May 28? What changed to make it start sending you
> these messages? Who that you know, changed what?
Iirc, somebody mentioned rkhunter on some list; that
reminded me I hadn't been reading root's mail; and when I looked,
there were these warnings. So I looked back up the list of
messages to find what appeared to be the first; but I have no
recollection of that day in particular.
Beartooth Implacable, Curmudgeonly Codger Learning Linux
On the Internet, you can never tell who is a dog --
supposing you care -- but you can tell who has a mind.
More information about the Novalug