Dne pá 29. prosince 2006 03:26 Carlos E. R. napsal(a):
The Thursday 2006-12-28 at 12:38 -0500, Darko Gavrilovic wrote:
I interpreted the OP's question as more of a a question about rkhunter's usage and the false positives it generates as opposed to any inherent insecurities in a default SUSE install.
I rather think he asks if rkhunter's report's are real and there are
security problems. He is preoccupied with having backdoors in 10.2. See: |> Does the second problem means, that openSUSE 10.2 has security hole in |> default install and fresh installation can be exploited remotly |> during/after online update, when making fresh install? Or one of the |> online repositories includes package with backdoor?
He was asked to supply exact error messages in order to investigate further, but he hasn't come back yet. So, I'd ignore this.
rkhunter report: * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /dev/.tmp-22-0 /dev/.udev /etc/.pwd.lock --------------- Please inspect: /dev/.tmp-22-0 (block special (22/0)) some investigation: invisible files detected by rkhunter you can see on fresh instalation which is completly disconnected (without ethernet NIC) /dev/.udev/ /db/ (directory ls in attachment, change time when system boots, after making ls of this directory, there is a file named ls sized 0 Bytes) uevent_seqnum (5 bytes, 4 numbers as text - different on each machine, change time when system boots) --------- /dev/ +.tmp-XX-X (X are random digits, change time when system boots) --------- /etc/ .pwd.lock (change time when system was installed) I don't know what the hell it is. The only thing that I have done, is easy password on that testing systems and I have been warned by system message about that (password detected in dictionary). The files in /dev and /etc are there just after first boot. I have tried this on 2 physical machines and 2 virtual machines. MD5 hash of DVD iso is ok, downloaded from czech mirror. Does anybody knows what that files mean? And at second I have openSUSE 10.0 machnine with permanent incomming 500Bytes/s traffic (but no outgoing traffic - I mean requests) and don't know what the traffic means. Pavel Chalupa