Mailinglist Archive: opensuse-security (51 mails)

< Previous Next >
Re: [opensuse-security] System attacked, need help
On 2014-09-13 11:21, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-09-13 20:00, Jon Cosby wrote:

The attacks seem to continue almost immediately. rkhunter gives a very
suspicious warning:

<code>
[10:19:02] /sbin/ifup [ Warning ]
[10:19:02] Warning: The command '/sbin/ifup' has been replaced by a
script: /sbin/ifup: Bourne-Again shell script, ASCII..

False positive. It *is* a script on openSUSE.

sbin> ls -l ifup
-rwxr-xr-x 1 root root 48711 Apr 10 00:46 ifup

cer@Telcontar:~> l /sbin/ifup
- -rwxr-xr-x 1 root root 48711 Apr 10 09:46 /sbin/ifup*
cer@Telcontar:~> file /sbin/ifup
/sbin/ifup: Bourne-Again shell script, ASCII text executable
cer@Telcontar:~> rpm -qf /sbin/ifup
sysconfig-network-0.81.5-30.1.x86_64
cer@Telcontar:~> rpm -V sysconfig-network
cer@Telcontar:~>


Thanks. What about the universal permissions on ifdown?

sbin> ls -l ifdown
lrwxrwxrwx 1 root root 4 Sep 12 18:05 ifdown -> ifup

And again, there’s a long signal going out when I come back from suspension. I'm assuming it's coming from ifup.


Jon
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References