On 2014-09-13 11:21, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-09-13 20:00, Jon Cosby wrote:
The attacks seem to continue almost immediately. rkhunter gives a very suspicious warning:
<code> [10:19:02] /sbin/ifup [ Warning ] [10:19:02] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII..
False positive. It *is* a script on openSUSE.
sbin> ls -l ifup -rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup
cer@Telcontar:~> l /sbin/ifup - -rwxr-xr-x 1 root root 48711 Apr 10 09:46 /sbin/ifup* cer@Telcontar:~> file /sbin/ifup /sbin/ifup: Bourne-Again shell script, ASCII text executable cer@Telcontar:~> rpm -qf /sbin/ifup sysconfig-network-0.81.5-30.1.x86_64 cer@Telcontar:~> rpm -V sysconfig-network cer@Telcontar:~>
Thanks. What about the universal permissions on ifdown? sbin> ls -l ifdown lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup And again, there’s a long signal going out when I come back from suspension. I'm assuming it's coming from ifup. Jon -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org