[Novalug] rkhunter : is it to worry??

[Beartooth]

On Mon, 8 Jun 2009, Scott Musman wrote:

 	[....]
> 2). There are a number of legitimate reasons why xinetd could be on. If
> it worries you, turn it off.

 	I meant to ask about that.

 	I turned it on, and set it to launch on boot, years ago. 
Privoxy seems to require it, or used to. At least, whenever any 
browser can't connect, system-config-services usually shows 
either that privoxy has stopped, or that xinetd has. Then 
starting one or both fixes things.

 	What's wrong with it??

> 3). The sabayon account might be suspicious, but it is most
>  probably a result of checking the box "User Profile Editor" in
>  Ubuntu's 'Add/Remove Applications'. To remove it, simply
>  UN-check the entry and click 'apply changes'.

 	I run Fedora, not Ubuntu, unless I have to for some 
reason. All I know about sabayon is that the description in 
PackageKit made it sound useful -- but I haven't gotten around to 
trying it yet, or even finding out what it is ...

> 4). Not sure about that latest versions of things, but rkhunter has some
> old fashioned ideas about bin files that it thinks should be binaries,
> and will tend to complain if they've been turned into scripts. How old
> is the version of rkhunter.. Probably older than the OS release..

[btth at Hbsk2 network-scripts]$ rpm -q rkhunter
rkhunter-1.3.4-5.fc10.noarch
[btth at Hbsk2 network-scripts]$

 	I do updates every day or three; so that is pretty sure 
to be the latest in the Fedora repos.

> As for checking the machine, mainly you should do some manual 
> checking of login, logouts, network services that you wouldn't 
> expect to be there using lsof, and just basically look for 
> suspicious things.

 	Eee-yowww! Is there a beginner's guide to lsof? That 
output is vast beyond my imagining, and I have no idea what it's 
telling me; but the man page loses me almost at once -- classic 
example of something written for those who already know, and just 
want to check some detail. Even just a legend saying what each 
column is would help.

> You probably know more about what that machine "should" be 
> doing, and who should be accessing it from where, and would be 
> able to find anomalies that no script could find. If all that 
> checks out, look for signs of log tampering. Things like large 
> gaps in the timestamps, missing reboot messages, etc.
 	[....]

 	The column showing what look to be userids is mostly btth 
(me) or root, with a few of what I think are standard daemons; 
but lots of the things in the first column (process names??) are 
unfamiliar, and lots get dozens of lines ...

 	Also, for aught I know, some nogoodnik might be 
pretending to be btth.

 	The bottom line contains "(7178,1) 100%" -- but I have no 
idea what it's counting, what the units are, nor where to find 
the ballpark it ought to be in.

> BTW. What happened on May 28? What changed to make it start sending you
> these messages? Who that you know, changed what?

 	Iirc, somebody mentioned rkhunter on some list; that 
reminded me I hadn't been reading root's mail; and when I looked, 
there were these warnings. So I looked back up the list of 
messages to find what appeared to be the first; but I have no 
recollection of that day in particular.

-- 
Beartooth Implacable, Curmudgeonly Codger Learning Linux
On the Internet, you can never tell who is a dog --
supposing you care -- but you can tell who has a mind.