Re: Hacked - is it my turn?

To: Andreas Schmidt <andy@space.wh1.tu-dresden.de>
Cc: debian-security@lists.debian.org
Subject: Re: Hacked - is it my turn?
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Tue, 3 Feb 2004 00:49:34 +0100
Message-id: <[🔎] 20040202234934.GA27840@dat.etsit.upm.es>
In-reply-to: <[🔎] 20040202215911.GK1315@rocket>
References: <[🔎] 20040202120856.24cc6b2a.graumann@caltech.edu> <[🔎] 20040202215911.GK1315@rocket>

On Mon, Feb 02, 2004 at 10:59:11PM +0100, Andreas Schmidt wrote:
> >> =-=-=-=-=-=-=-=-=-=-=-=-=-
> >> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
> >

That's normal, its been discussed here before. It just needs to be added to 
logcheck patterns, a bug should be filed.

> >'tiger' also reports - while performing signature check of system
> >binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
> >and /usr/bin/inetd don not match. This can not be confirmed by aide
> >(cd-burned database, unsafe binary) or debsums (unsafe binary).
> >
> Hi,
> 
> have something similar here:
> # Performing signature check of system binaries...

Do _not_ rely on that if you are _not_ using a stable system.... (and
really, even then, unless you've regenerated the database yourself).

> Considerung this kind of behavior is on two machines now makes me  
> assume this might be another bug with tiger. :-)

Well, it _kind_ of is, but that test should not be enabled on systems 
running sid or testing. The signature database is rarely updated (but you 
can update it yourself). In any case, rely on an integrity database (aide, 
tripwire, samhain, integrit... your call) instead of Tiger since it will 
only:

- check against a signature database based on woody, which will never match 
yours.
- check using 'debsums' which is not complete (some packages do not include 
md5 checksums for all the files)

> BTW, the machine logging this has sid installed.
> 
> Moreover, I got these messages:
> # Performing check of 'services' ...
(...)
> 
> Is that anything to be worried about? After all, it's just some  
> mappings in /etc/services, or is it? I don't run an ircd (I know of),  
> for instance, and the other ports mentioned here are not shown as open  
> by nmap/netstat.

Yes, that just compares the system's /etc/services against the list that 
Tiger has which, again, might not match what you have in a sid system if 
you have upgraded netbase. I will take care of those probably before the 
release, feel free to file a bug, however.

Regards

Javi

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Hacked - is it my turn?
  - From: Johannes Graumann <graumann@caltech.edu>
- Re: Hacked - is it my turn?
  - From: Andreas Schmidt <andy@space.wh1.tu-dresden.de>

Prev by Date: Re: Hacked - is it my turn? - interesting
Next by Date: Re: Hacked - is it my turn? - interesting
Previous by thread: Re: Hacked - is it my turn?
Next by thread: Re: Hacked - is it my turn?
Index(es):
- Date
- Thread