man/mandb problem -- exploit?
Hi--
My system was recently cracked (my impression was that it happened via
the recent Apache exploit). Shortly before I reinstalled my system
(with better security), I lost all ability to view man pages. Typing,
say, 'man man' would bring up a brief message about how it was
reformatting the page, then nothing.
I reinstalled, then installed an improved firewall before
bringing the system back up on the net and doing 'apt-get update;
apt-get dist-upgrade'. During the dist-upgrade process, I received a
message on the root terminal saying something like 'su session opened
for user man'. I didn't know whether this was relevant, but noted it
in case it had something to do with the man-db exploit, for which
there was a fix released on 12 June. I also ran the following commands,
as recommended on the man-db exploit page:
suidregister /usr/lib/man-db/man root root 0755
suidregister /usr/lib/man-db/mandb root root 0755
After the dist-upgrade, I can again no longer view man pages. As an
ordinary user, a simple man command brings up something like the
following:
Reformatting mpage(1), please wait...
man: can't create /var/cache/man/fsstnd/cat1/393: Permission denied
zsoelim: /tmp/zmanp6L0Cn: No such file or directory
man: can't unlink /var/cache/man/fsstnd/cat1/393: No such file or directory
man: can't remove /tmp/zmanp6L0Cn: No such file or directory
After typing 'man man', a file called man.1.gz appears in
/var/cache/man/cat1, but all it contains is the following text:
------> man.1.gz <------
I purged and reinstalled the packages mandb, manpages, and
manpages-dev, with no luck. I found a file in /tmp named zmanXXXXX,
where 'XXXXX' was a random string. When I tried to delete or view
this file, I couldn't, because its name would change as I was trying
to do so, to zmanYYYYY, where 'YYYYY' was another random string.
Rebooting seems to have taken care of this; there are presently no
files in /tmp, but was this normal behaviour, or part of an exploit?
Any recommendations on getting man working on my system again are
welcome. Be very explicit, however, as I can't use man pages to
clarify any help that is cryptic. Moreover, does it seem that my
man-db has been cracked?
Thanks...
Ron H-E
p.s. What's with the Debian list archives? I can neither search nor
browse them.
--
Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
Ron Hale-Evans ... <http://www.apocalypse.org/~rwhe/>
rwhe@ludism.org ... Further up and further in! fnord ... rwhe@apocalypse.org
Reply to: