Re: Interpreting output of tiger scripts (WAS:Re: Is my system compromised)
On Fri, Feb 03, 2006 at 09:35:07PM -0800, Marc Shapiro wrote:
> >According to Todd Weaver,
> >>You can try tiger...
> >> sudo apt-get update
> >> sudo apt-get install tiger
> >> sudo tiger
> I have no reason to believe that my box is compromised,
A script that doesn't belong to a package is in your /etc/rc?
I'd do a lot more digging. Before writing it off as not compromised.
(or even to a backup of the filesystem, then a fresh install)
Send the contents of the script to the list for review.
(it *would* be a bash file if it's a debian script)
Like mentioned earlier, boot of CD, inspect the script, how did it get there?
It was either part of a package (which I couldn't find), or it was put their by a root user (if you have multiple root's) or it was placed by somebody you gave sudo root access to, or it was an eggdrop, by a malicious user (or external root compromise).
If you boot off CD, you gain a few things:
a) if you run ls, ps, cat etc... they're for sure the binary that
you want to run (from CD), and not a rootkit'd ls, ps, cat etc... binary
(a rootkit binary of ls *would* have compiled in to avoid rootkit files)
b) you cannot do harm to your read-only mounted hard-drive.
chkrootkit from CD would tell if binary files mismatch.
> but I thought
> that I would try out tiger to close off what I could. Now I need
> someone to point me to someplace that can help me interpret the log file.
Tiger is for hardening your system, finding possible unused, or strange things.
> I got an awful lot of lines about unowned files and files with invalid
> groups. Those were easy to deal with. They were all files that on
> installation kept the user and group of the maintainer. I have chowned
> them all to root:root. That cut the size of the logfile down from 111K
> to 16K.
Those were just "WARN", which you should take under "Warning" type advisement.
Cleaning up "WARN" messages are a good practice, but you can do with the knowledge as you will.
"FAIL"'s are a little worse, and should be corrected.
> I also wonder about these:
> # Performing check of `cron' entries...
> --WARN-- [cron004w] Root crontab does not exist
If you didn't make a root crontab, then this makes sense right?
> --WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
> matched the /bin/ls on this machine.
> >>>>>> Linux 2.4.17
> Since I am running kernel 2.6.8 (the most recent available in Sarge) I
> am curious as to why it is trying to match the files to 2.4.17.
That is *probably* what tiger was compiled against.
> If anyone can point me in the right direction, I would appreciate it.
I'd check the author's docs...