Hello Gunther yes this is normal because the security-script runs a find for files and use it as input into ls(1) or whatever. What happens when you get empty input? By default the ls lists the current working directory and therefor this output. See /usr/lib/secchk/security~ekly.sh line ~ 90-124. cu mario
-----Original Message----- From: Gunther Stammwitz [mailto:gstammw@gmx.net] Sent: Monday, April 14, 2003 1:09 AM To: suse-security@suse.com Subject: [suse-security] Weekly-check: Is this normal ?
Hello List,
I've just received the weekly-check-report from one of my servers running suse 8.0 There's a very annying message because a file called "." has been changed.
Do you think this is normal or did a hacker start installing rootkits ?
Greetings, Gunther
SuSE weekly security check v2.0 by Marc Heuse
This is an automated mail by the seccheck tool. If you want to disable this service, just type "mv /etc/cron.d/seccheck /etc/cron.d_seccheck.save". DISCLAIMER
Please note that these security checks are neither complete nor reliable. Any attacker with proper experience and root access to your system can deceive *any* security check!
[..]
Please check and perhaps disable the following unused accounts:
The following files are suid/sgid: - drwx------ 7 root root 4096 Tue Dec 31 15:28:17 2002 . + drwx------ 7 root root 4096 Sat Apr 12 15:30:15 2003 .
The following program executables are group/world writeable: - drwx------ 7 root root 4096 Tue Dec 31 15:28:17 2002 . + drwx------ 7 root root 4096 Sat Apr 12 15:30:15 2003 .
The following devices were added: - drwx------ root root 4096 Dec + drwx------ root root 4096 Apr
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here