[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Interpreting output of tiger scripts (WAS:Re: Is my system compromised)



Todd Weaver wrote:
On Fri, Feb 03, 2006 at 09:35:07PM -0800, Marc Shapiro wrote:

According to Todd Weaver,


You can try tiger...
 sudo apt-get update
 sudo apt-get install tiger
 sudo tiger

I have no reason to believe that my box is compromised,


A script that doesn't belong to a package is in your /etc/rc?
I'd do a lot more digging. Before writing it off as not compromised.
(or even to a backup of the filesystem, then a fresh install)

I think that a posting must have been clipped and attributed incorrectly. My post says nothing about any files in /etc/rc. In fact, I can account for almost all of the files that it says are not from any package:

# Checking installed files against packages...
--WARN-- [lin001w] File `/usr/X11R6/bin/tkremind_1.3' does not belong to

This is a copy of tkremind that I made prior to making changes to the file. I could move this to my home directory if I really need to keep it.

--WARN-- [lin001w] File `/lib/modules/2.6.7-1-k7/ltmodem/lt_modem.o'
--WARN-- [lin001w] File `/lib/modules/2.6.7-1-k7/ltmodem/lt_serial.o'

These are from when I was trying to get a Lucent modem working. Since I am now using DSL I could delete them

--WARN-- [lin001w] File `/lib/modules/2.6.8-2-k7/misc/vmmon.o' does not
--WARN-- [lin001w] File `/lib/modules/2.6.8-2-k7/misc/vmnet.o' does not
--WARN-- [lin001w] File `/lib/ld-linux.so.1.9.9' does not belong to any

I just installed VMPlayer from the VMWare site

--WARN-- [lin001w] File `/usr/bin/remind.orig' does not belong to any

See tkremind_1.3, above.

--WARN-- [lin001w] File `/usr/bin/glibcbug.dpkg-tmp' does not belong to

THIS one I can not account for.  Does anyone know what this file is?

--WARN-- [lin001w] File `/usr/bin/pico' does not belong to any package.
--WARN-- [lin001w] File `/usr/bin/pine' does not belong to any package.

I installed pine (and pico with it) many years ago from source (due to the licensing and debian actually following it, unlike some other distros).


http://www.nongnu.org/tiger/

Tiger is for hardening your system, finding possible unused, or strange things.

Thanks.

Cleaning up "WARN" messages are a good practice, but you can do with the knowledge as you will.

"FAIL"'s are a little worse, and should be corrected.


I also wonder about these:


[snip]

# Performing check of `cron' entries...

[snip]

--WARN-- [cron004w] Root crontab does not exist


If you didn't make a root crontab, then this makes sense right?

As I suspected. I didn't make a root crontab so I didn't worry about that one.


--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
        matched the /bin/ls on this machine.
        >>>>>> Linux 2.4.17

Since I am running kernel 2.6.8 (the most recent available in Sarge) I am curious as to why it is trying to match the files to 2.4.17.


That is *probably* what tiger was compiled against.

That would make SOME sense, except that it would mean that if you don't compile the tiger binaries on the machine that you are running it on then you are likely to get a lot of those warnings which really do not apply. I'll check the website and see if it has anything about these.

--
Marc Shapiro
mshapiro_42@yahoo.com



Reply to: