[opensuse-security] Security report from rkhunter on default install of openSUSE 10.2
Hi, is there anybody who can explain the security report generated by rkhunter? At first: default install includes SSHD with remote root login allow, all users remote login allowed, SSH protocol 1 allowed... during install is SSH disallowed, but SSHD runnig after install... At second: after some online updates, I tried to run rkhunter and its reporting invisible /dev/tmpblablabla... and some two other files corresponding with this one... this was too confusing and I killed this by command rm /dev/tmpblabla... I have no idea what it was, but rkhunter reported that system is infected... I have no backup of this, but the machine still runnig and I can make some investigation, but I don't know how to do it. Does the second problem means, that openSUSE 10.2 has security hole in default install and fresh installation can be exploited remotly during/after online update, when making fresh install? Or one of the online repositories includes package with backdoor? Any suggestions? Pavel Chalupa
On Wed, Dec 27, 2006 at 12:03:17AM +0100, Pavel Chalupa wrote:
Hi, is there anybody who can explain the security report generated by rkhunter?
At first: default install includes SSHD with remote root login allow, all users remote login allowed, SSH protocol 1 allowed... during install is SSH disallowed, but SSHD runnig after install...
We still allow SSH protocol version 1, but this will go away.
At second: after some online updates, I tried to run rkhunter and its reporting invisible /dev/tmpblablabla... and some two other files corresponding with this one... this was too confusing and I killed this by command rm /dev/tmpblabla... I have no idea what it was, but rkhunter reported that system is infected... I have no backup of this, but the machine still runnig and I can make some investigation, but I don't know how to do it.
Does the second problem means, that openSUSE 10.2 has security hole in default install and fresh installation can be exploited remotly during/after online update, when making fresh install? Or one of the online repositories includes package with backdoor?
THere is no known security hole in the default install and the SUSE supplied repositories. I cannot speak for other repositories, like packman or guru, but you would be the first reporter. And you should give us *exact* error messages from above if you want us to help. Ciao, MArcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am Mittwoch, 27. Dezember 2006 11:51 schrieb Marcus Meissner:
THere is no known security hole in the default install and the SUSE supplied repositories.
I cannot speak for other repositories, like packman or guru, but you would be the first reporter.
And you should give us *exact* error messages from above if you want us to help.
I don't know about 10.2 (yet; just installing rkhunter on my 10.2), but on my 10.0 rkhunter complains about this: * Application version scan - GnuPG 1.4.2 [ Vulnerable ] - OpenSSL 0.9.7g [ Vulnerable ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: Hint: See logfile for more information about this issue Checking for allowed protocols... [ Warning (SSH v1 allowed) ] Now, I'm not overly concerned about the "root allowed" since on my box that is allowed only with ssh key, not with passphrase, AND not from external adresses... but I'm not quite sure about the SSHv1 complaint, and the versions... bye, MH -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Dec 28, 2006 at 11:08:19AM +0100, Mathias Homann wrote:
Am Mittwoch, 27. Dezember 2006 11:51 schrieb Marcus Meissner:
THere is no known security hole in the default install and the SUSE supplied repositories.
I cannot speak for other repositories, like packman or guru, but you would be the first reporter.
And you should give us *exact* error messages from above if you want us to help.
I don't know about 10.2 (yet; just installing rkhunter on my 10.2), but on my 10.0 rkhunter complains about this:
* Application version scan - GnuPG 1.4.2 [ Vulnerable ] - OpenSSL 0.9.7g [ Vulnerable ]
Both have been updated with fixes, but not updating their versions. CIao, MArcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
If I remember correctly ssh v1 has several security holes in it and is should be disabled by having the following in your /etc/ssh/sshd_config file: Protocol 2 On Thu, 2006-12-28 at 11:08 +0100, Mathias Homann wrote:
Am Mittwoch, 27. Dezember 2006 11:51 schrieb Marcus Meissner:
THere is no known security hole in the default install and the SUSE supplied repositories.
I cannot speak for other repositories, like packman or guru, but you would be the first reporter.
And you should give us *exact* error messages from above if you want us to help.
I don't know about 10.2 (yet; just installing rkhunter on my 10.2), but on my 10.0 rkhunter complains about this:
* Application version scan - GnuPG 1.4.2 [ Vulnerable ] - OpenSSL 0.9.7g [ Vulnerable ]
* Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: Hint: See logfile for more information about this issue Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
Now, I'm not overly concerned about the "root allowed" since on my box that is allowed only with ssh key, not with passphrase, AND not from external adresses... but I'm not quite sure about the SSHv1 complaint, and the versions...
bye, MH
-- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Yup. As per link. -------- Configure SSH for SSH2-only Access Modify the /etc/ssh/sshd_config file to change the PROTOCOL line from: #PROTOCOL 1,2 to: PROTOCOL 2 --------- On 12/28/06, Shawn Badger <sbadger@cskauto.com> wrote:
If I remember correctly ssh v1 has several security holes in it and is should be disabled by having the following in your /etc/ssh/sshd_config file: Protocol 2
On Thu, 2006-12-28 at 11:08 +0100, Mathias Homann wrote:
Am Mittwoch, 27. Dezember 2006 11:51 schrieb Marcus Meissner:
THere is no known security hole in the default install and the SUSE supplied repositories.
I cannot speak for other repositories, like packman or guru, but you would be the first reporter.
And you should give us *exact* error messages from above if you want us to help.
I don't know about 10.2 (yet; just installing rkhunter on my 10.2), but on my 10.0 rkhunter complains about this:
* Application version scan - GnuPG 1.4.2 [ Vulnerable ] - OpenSSL 0.9.7g [ Vulnerable ]
* Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: Hint: See logfile for more information about this issue Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
Now, I'm not overly concerned about the "root allowed" since on my box that is allowed only with ssh key, not with passphrase, AND not from external adresses... but I'm not quite sure about the SSHv1 complaint, and the versions...
bye, MH
-- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- "Develop success from failures. Discouragement and failure are two of the surest stepping stones to success." - Dale Carnegie --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
I interpreted the OP's question as more of a a question about rkhunter's usage and the false positives it generates as opposed to any inherent insecurities in a default SUSE install. On 12/28/06, Darko Gavrilovic <d.gavrilovic@gmail.com> wrote:
Yup. As per link.
-------- Configure SSH for SSH2-only Access
Modify the /etc/ssh/sshd_config file to change the PROTOCOL line from:
#PROTOCOL 1,2
to:
PROTOCOL 2
---------
On 12/28/06, Shawn Badger <sbadger@cskauto.com> wrote:
If I remember correctly ssh v1 has several security holes in it and is should be disabled by having the following in your /etc/ssh/sshd_config file: Protocol 2
On Thu, 2006-12-28 at 11:08 +0100, Mathias Homann wrote:
Am Mittwoch, 27. Dezember 2006 11:51 schrieb Marcus Meissner:
THere is no known security hole in the default install and the SUSE supplied repositories.
I cannot speak for other repositories, like packman or guru, but you would be the first reporter.
And you should give us *exact* error messages from above if you want us to help.
I don't know about 10.2 (yet; just installing rkhunter on my 10.2), but on my 10.0 rkhunter complains about this:
* Application version scan - GnuPG 1.4.2 [ Vulnerable ] - OpenSSL 0.9.7g [ Vulnerable ]
* Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: Hint: See logfile for more information about this issue Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
Now, I'm not overly concerned about the "root allowed" since on my box that is allowed only with ssh key, not with passphrase, AND not from external adresses... but I'm not quite sure about the SSHv1 complaint, and the versions...
bye, MH
-- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- "Develop success from failures. Discouragement and failure are two of the surest stepping stones to success." - Dale Carnegie
-- "Develop success from failures. Discouragement and failure are two of the surest stepping stones to success." - Dale Carnegie --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2006-12-28 at 12:38 -0500, Darko Gavrilovic wrote:
I interpreted the OP's question as more of a a question about rkhunter's usage and the false positives it generates as opposed to any inherent insecurities in a default SUSE install.
I rather think he asks if rkhunter's report's are real and there are security problems. He is preoccupied with having backdoors in 10.2. See: |> Does the second problem means, that openSUSE 10.2 has security hole in |> default install and fresh installation can be exploited remotly |> during/after online update, when making fresh install? Or one of the |> online repositories includes package with backdoor? He was asked to supply exact error messages in order to investigate further, but he hasn't come back yet. So, I'd ignore this. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFlHy6tTMYHG2NR9URAl+qAJ9xEH3l9IMhLtSG5sSs25ezsZ3VzQCfTDz2 HsRwblJ7D7o6OZnEXBaqBAE= =UhOI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Dne pá 29. prosince 2006 03:26 Carlos E. R. napsal(a):
The Thursday 2006-12-28 at 12:38 -0500, Darko Gavrilovic wrote:
I interpreted the OP's question as more of a a question about rkhunter's usage and the false positives it generates as opposed to any inherent insecurities in a default SUSE install.
I rather think he asks if rkhunter's report's are real and there are
security problems. He is preoccupied with having backdoors in 10.2. See: |> Does the second problem means, that openSUSE 10.2 has security hole in |> default install and fresh installation can be exploited remotly |> during/after online update, when making fresh install? Or one of the |> online repositories includes package with backdoor?
He was asked to supply exact error messages in order to investigate further, but he hasn't come back yet. So, I'd ignore this.
rkhunter report: * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /dev/.tmp-22-0 /dev/.udev /etc/.pwd.lock --------------- Please inspect: /dev/.tmp-22-0 (block special (22/0)) some investigation: invisible files detected by rkhunter you can see on fresh instalation which is completly disconnected (without ethernet NIC) /dev/.udev/ /db/ (directory ls in attachment, change time when system boots, after making ls of this directory, there is a file named ls sized 0 Bytes) uevent_seqnum (5 bytes, 4 numbers as text - different on each machine, change time when system boots) --------- /dev/ +.tmp-XX-X (X are random digits, change time when system boots) --------- /etc/ .pwd.lock (change time when system was installed) I don't know what the hell it is. The only thing that I have done, is easy password on that testing systems and I have been warned by system message about that (password detected in dictionary). The files in /dev and /etc are there just after first boot. I have tried this on 2 physical machines and 2 virtual machines. MD5 hash of DVD iso is ok, downloaded from czech mirror. Does anybody knows what that files mean? And at second I have openSUSE 10.0 machnine with permanent incomming 500Bytes/s traffic (but no outgoing traffic - I mean requests) and don't know what the traffic means. Pavel Chalupa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-12-31 at 11:47 +0100, Pavel Chalupa wrote:
invisible files detected by rkhunter you can see on fresh instalation which is completly disconnected (without ethernet NIC)
/dev/.udev/
/db/
I believe this is normal in udev. I don't know what it is used for. It is a virtual filesystem, they are created when needed (boot).
.pwd.lock (change time when system was installed)
Lock files are used by some applications when opening files. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFl679tTMYHG2NR9URAqrSAJ4vsiIA3B3upimRBIehozcDeCu9vwCfUdgw ASRYm6bFqJ6jCFlFBXPrqSI= =6Tnc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
and what about tmp file in /dev? rkhunter report: * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /dev/.tmp-22-0 /dev/.udev /etc/.pwd.lock --------------- Please inspect: /dev/.tmp-22-0 (block special (22/0)) Pavel Chalupa Dne ne 31. prosince 2006 13:37 Carlos E. R. napsal(a):
The Sunday 2006-12-31 at 11:47 +0100, Pavel Chalupa wrote:
invisible files detected by rkhunter you can see on fresh instalation which is completly disconnected (without ethernet NIC)
/dev/.udev/
/db/
I believe this is normal in udev. I don't know what it is used for. It is a virtual filesystem, they are created when needed (boot).
.pwd.lock (change time when system was installed)
Lock files are used by some applications when opening files.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-12-31 at 13:59 +0100, Pavel Chalupa wrote:
and what about tmp file in /dev?
rkhunter report: ...
/dev/.tmp-22-0 /dev/.udev /etc/.pwd.lock --------------- Please inspect: /dev/.tmp-22-0 (block special (22/0))
I have no idea, but 22/0 is hdc (see /usr/src/linux/Documentation/devices.txt): 22 block Second IDE hard disk/CD-ROM interface 0 = /dev/hdc Master: whole disk (or CD-ROM) It may be a left-over from some process. You will have to ask somebody who really knows how udev works to say what are those files for, or if some of them shouldn't be there and a bug is involved. But I don't feel they are a security risk, just things rkhunter doesn't know about and hasn't been updated to know. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFmAm4tTMYHG2NR9URAp54AJ4xA7DpQlSGvcqQLAQq354YZNanrgCeIKOP DThgZeO1Y7sjyJ/EHG7YF2Y= =b36L -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! What I see on all posts is there is missing knowledge on linux system internals. I first tried this tool as newbie and had to learn about all messages which may mean an intrusion. Before trying a professional tool without that many documentation use google to find the answer. Don`t post too fast if you don`t know what`s a bad and what`s a good error message of that tool. For some messages you have to get special knowledge no SuSE manual can give. A professional tool needs professionals to interpret the messages it gives. If you are no professional google will give you a good deal to learn what you don't know. If you don`t know anything about the usage and meaing of rkhunter then don`t use it or learn how to use it and how to interpret the messages! By the way some messages mean nothing at all as some file rights and settings of default installations may give false positive intrusion warnings. Look for warnings of rootkits. If you are not shure but have an idea that you are hacked look for further messages. An inturded system is not the place to look for an intrusion so boot from an uninfected boot disk and then scan the system from there. Some trojans or backdoors or whatever change system files and hide themselves with changed binaries. Hope that helps and that no one gets intruded as general holidays give the opportunity for free time having nothing to do individuals to do their evil workout. Regards Philippe P.S.: Happy new year! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRZhu6ENg1DRVIGjBAQL6vQb/UlGjc5OObHUp++BDji2I5UfMEGByQ67X ykGxy0Bv4FkIQnZLE2ZDu3+1uxcBkQwLdHmgsR/ajdaX128JFo0VI3gYVoar3IH4 4skGxEZra9BQR1CJg8gtc412PmpBumvfjJ3+P9l1RALKOBBKSAzDh98vIaknkZvU EV6g6ZHrqfJv7gDGcF7qW3og7Qeo5kiUHFTV6SkFd9wF7o7WnixcU8I8mEmxbn2E vhC2XNaL7UJE+w8JfFxa02vVBxstEAooldZGQryfqRsWRWJ2AunFIAA2W45PEvsl 2R0WofeCT5k= =ejqQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Wednesday 27 December 2006 11:51, Marcus Meissner wrote:
On Wed, Dec 27, 2006 at 12:03:17AM +0100, Pavel Chalupa wrote:
Hi, is there anybody who can explain the security report generated by rkhunter? (...)
THere is no known security hole in the default install and the SUSE supplied repositories.
If I may ask a related question at this point... As far as I know (still using 10.0) neither rkhunter or chkrootkit is part of the rescue system that comes with the DVD version of SUSE. Will this hopefully be changed? I think it would be nice to have both tools as part of the rescue system, because running these tools from harddrive may be senseless. Thanx and happy new year! Malte --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Malte Gell schrieb:
On Wednesday 27 December 2006 11:51, Marcus Meissner wrote:
On Wed, Dec 27, 2006 at 12:03:17AM +0100, Pavel Chalupa wrote:
Hi, is there anybody who can explain the security report generated by rkhunter? (...)
THere is no known security hole in the default install and the SUSE supplied repositories.
If I may ask a related question at this point... As far as I know (still using 10.0) neither rkhunter or chkrootkit is part of the rescue system that comes with the DVD version of SUSE. Will this hopefully be changed? I think it would be nice to have both tools as part of the rescue system, because running these tools from harddrive may be senseless.
Thanx and happy new year! Malte
If you want new version run on a cd it will not help you getting rid of those infected items. The best solution is to run a mini-distribution from usb-stick and then always copy the latest required tools on the stick. There are some mini distros free on the net for this purpose e.g. a special small knoppix or other debian based mini distros. Don`t forget a rescue system on SuSE has the only purpose to make it possible to boot a damaged system not an infected system or to restore a broken installation! Regards Philippe P.S.: I hate "away messages" and consider this as spam. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRZmtuUNg1DRVIGjBAQI4tgcAlz0sIAcMaCwh6ytqjkXp6pWDsvlqTe7G /bD3U63PbWDAqlD9FQzH3FP0rFMG7QxHftTlLEm7kQl4FamZLVi43HmohUxKG8PQ 4ag7Ek0JboiI0Gd/vCnyls2eOJKyAoXcyqUh0bTGitAAKRfHBwMQgZko3O8SOAqn zcY3Sr6/7T3JFruqvbeie7f0IEW0vKFGbS/UWwLz+M4J6Myfus88IHmdh9J4QhWi RQFDXVrVTOH/N3EX5OWjN9k6D89w/oMAqmdGUpKaXKZpUYmo8R4WCRrxq0NDqIem IkM9eAU1TZI= =M+S5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Mon, Jan 01, 2007 at 11:40:37PM +0100, Malte Gell wrote:
On Wednesday 27 December 2006 11:51, Marcus Meissner wrote:
On Wed, Dec 27, 2006 at 12:03:17AM +0100, Pavel Chalupa wrote:
Hi, is there anybody who can explain the security report generated by rkhunter? (...)
THere is no known security hole in the default install and the SUSE supplied repositories.
If I may ask a related question at this point... As far as I know (still using 10.0) neither rkhunter or chkrootkit is part of the rescue system that comes with the DVD version of SUSE. Will this hopefully be changed? I think it would be nice to have both tools as part of the rescue system, because running these tools from harddrive may be senseless.
chkrootkit should be part of it now (since 10.1). rkhunter still is not. Ciao, MArcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 12/26/06, Pavel Chalupa <pavel@kregion.cz> wrote:
Hi, is there anybody who can explain the security report generated by rkhunter?
At first: default install includes SSHD with remote root login allow, all users remote login allowed, SSH protocol 1 allowed... during install is SSH disallowed, but SSHD runnig after install...
http://en.opensuse.org/SUSE_Security_Lockdown_-_Hardening_Your_Linux_System
At second: after some online updates, I tried to run rkhunter and its reporting invisible /dev/tmpblablabla... and some two other files corresponding with this one... this was too confusing and I killed this by command rm /dev/tmpblabla... I have no idea what it was, but rkhunter reported that system is infected... I have no backup of this, but the machine still runnig and I can make some investigation, but I don't know how to do it.
Does the second problem means, that openSUSE 10.2 has security hole in default install and fresh installation can be exploited remotly during/after online update, when making fresh install? Or one of the online repositories includes package with backdoor?
prbly false positives. read the faq, http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034
Any suggestions?
Pavel Chalupa
-- "Develop success from failures. Discouragement and failure are two of the surest stepping stones to success." - Dale Carnegie --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (8)
-
Carlos E. R. -
Darko Gavrilovic -
Malte Gell -
Marcus Meissner -
Mathias Homann -
Pavel Chalupa -
Philippe Vogel -
Shawn Badger