Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] Security report from rkhunter on default install of openSUSE 10.2
  • From: Pavel Chalupa <pavel@xxxxxxxxxx>
  • Date: Sun, 31 Dec 2006 11:47:14 +0100
  • Message-id: <200612311147.39482.pavel@xxxxxxxxxx>
Dne pá 29. prosince 2006 03:26 Carlos E. R. napsal(a):
> The Thursday 2006-12-28 at 12:38 -0500, Darko Gavrilovic wrote:
> > I interpreted the OP's question as more of a a question about
> > rkhunter's usage and the false positives it generates as opposed to
> > any inherent insecurities in a default SUSE install.
>
> I rather think he asks if rkhunter's report's are real and there are
>
> security problems. He is preoccupied with having backdoors in 10.2. See:
> |> Does the second problem means, that openSUSE 10.2 has security hole in
> |> default install and fresh installation can be exploited remotly
> |> during/after online update, when making fresh install? Or one of the
> |> online repositories includes package with backdoor?
>
> He was asked to supply exact error messages in order to investigate
> further, but he hasn't come back yet. So, I'd ignore this.

rkhunter report:

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/dev/.tmp-22-0
/dev/.udev /etc/.pwd.lock
---------------
Please inspect: /dev/.tmp-22-0 (block special (22/0))

some investigation:

invisible files detected by rkhunter you can see on fresh instalation which is
completly disconnected (without ethernet NIC)

/dev/.udev/

/db/ (directory ls in attachment, change time when system boots, after
making ls of this directory, there is a file named ls sized 0 Bytes)
uevent_seqnum (5 bytes, 4 numbers as text - different on each machine,
change time when system boots)

---------
/dev/

+.tmp-XX-X (X are random digits, change time when system boots)

---------
/etc/

.pwd.lock (change time when system was installed)

I don't know what the hell it is. The only thing that I have done, is easy
password on that testing systems and I have been warned by system message
about that (password detected in dictionary). The files in /dev and /etc are
there just after first boot. I have tried this on 2 physical machines and 2
virtual machines. MD5 hash of DVD iso is ok, downloaded from czech mirror.

Does anybody knows what that files mean?

And at second I have openSUSE 10.0 machnine with permanent incomming
500Bytes/s traffic (but no outgoing traffic - I mean requests) and don't know
what the traffic means.

Pavel Chalupa
< Previous Next >
Follow Ups