[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Interpreting output of tiger scripts (WAS:Re: Is my system compromised)

On Fri, Feb 03, 2006 at 09:35:07PM -0800, Marc Shapiro wrote:
> >According to Todd Weaver,
> >
> >>You can try tiger...
> >>   sudo apt-get update
> >>   sudo apt-get install tiger
> >>   sudo tiger
> 
> I have no reason to believe that my box is compromised,

A script that doesn't belong to a package is in your /etc/rc?
I'd do a lot more digging. Before writing it off as not compromised.
(or even to a backup of the filesystem, then a fresh install)

Send the contents of the script to the list for review.
(it *would* be a bash file if it's a debian script)

Like mentioned earlier, boot of CD, inspect the script, how did it get there?

It was either part of a package (which I couldn't find), or it was put their by a root user (if you have multiple root's) or it was placed by somebody you gave sudo root access to, or it was an eggdrop, by a malicious user (or external root compromise).

If you boot off CD, you gain a few things:
a) if you run ls, ps, cat etc... they're for sure the binary that
   you want to run (from CD), and not a rootkit'd ls, ps, cat etc... binary
   (a rootkit binary of ls *would* have compiled in to avoid rootkit files)

b) you cannot do harm to your read-only mounted hard-drive.

chkrootkit from CD would tell if binary files mismatch.

> but I thought 
> that I would try out tiger to close off what I could.  Now I need 
> someone to point me to someplace that can help me interpret the log file.

http://www.nongnu.org/tiger/

Tiger is for hardening your system, finding possible unused, or strange things.

> I got an awful lot of lines about unowned files and files with invalid 
> groups.  Those were easy to deal with.  They were all files that on 
> installation kept the user and group of the maintainer.  I have chowned 
> them all to root:root.  That cut the size of the logfile down from 111K 
> to 16K.

Those were just "WARN", which you should take under "Warning" type advisement.

Cleaning up "WARN" messages are a good practice, but you can do with the knowledge as you will.

"FAIL"'s are a little worse, and should be corrected.

> I also wonder about these:
> 
[snip]
> # Performing check of `cron' entries...
[snip]
> --WARN-- [cron004w] Root crontab does not exist

If you didn't make a root crontab, then this makes sense right?

> --WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
>          matched the /bin/ls on this machine.
>          >>>>>> Linux 2.4.17
> 
> Since I am running kernel 2.6.8 (the most recent available in Sarge) I 
> am curious as to why it is trying to match the files to 2.4.17.

That is *probably* what tiger was compiled against.

> If anyone can point me in the right direction, I would appreciate it.

I'd check the author's docs...

http://www.nongnu.org/tiger/
Reply to: