On Fri, Feb 03, 2006 at 09:35:07PM -0800, Marc Shapiro wrote: > >According to Todd Weaver, > > > >>You can try tiger... > >> sudo apt-get update > >> sudo apt-get install tiger > >> sudo tiger > > I have no reason to believe that my box is compromised,
A script that doesn't belong to a package is in your /etc/rc? I'd do a lot more digging. Before writing it off as not compromised. (or even to a backup of the filesystem, then a fresh install) Send the contents of the script to the list for review. (it *would* be a bash file if it's a debian script) Like mentioned earlier, boot of CD, inspect the script, how did it get there? It was either part of a package (which I couldn't find), or it was put their by a root user (if you have multiple root's) or it was placed by somebody you gave sudo root access to, or it was an eggdrop, by a malicious user (or external root compromise). If you boot off CD, you gain a few things: a) if you run ls, ps, cat etc... they're for sure the binary that you want to run (from CD), and not a rootkit'd ls, ps, cat etc... binary (a rootkit binary of ls *would* have compiled in to avoid rootkit files) b) you cannot do harm to your read-only mounted hard-drive. chkrootkit from CD would tell if binary files mismatch. > but I thought > that I would try out tiger to close off what I could. Now I need > someone to point me to someplace that can help me interpret the log file. http://www.nongnu.org/tiger/ Tiger is for hardening your system, finding possible unused, or strange things. > I got an awful lot of lines about unowned files and files with invalid > groups. Those were easy to deal with. They were all files that on > installation kept the user and group of the maintainer. I have chowned > them all to root:root. That cut the size of the logfile down from 111K > to 16K. Those were just "WARN", which you should take under "Warning" type advisement. Cleaning up "WARN" messages are a good practice, but you can do with the knowledge as you will. "FAIL"'s are a little worse, and should be corrected. > I also wonder about these: > [snip] > # Performing check of `cron' entries... [snip] > --WARN-- [cron004w] Root crontab does not exist If you didn't make a root crontab, then this makes sense right? > --WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x) > matched the /bin/ls on this machine. > >>>>>> Linux 2.4.17 > > Since I am running kernel 2.6.8 (the most recent available in Sarge) I > am curious as to why it is trying to match the files to 2.4.17. That is *probably* what tiger was compiled against. > If anyone can point me in the right direction, I would appreciate it. I'd check the author's docs... http://www.nongnu.org/tiger/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
