Re: /bin/login listening?
On 2007-07-28, Jeff D <fixedored@gmail.com> wrote:
> also, what version of debian are you running? Is this machine behind a
> firewall or do you have a firewall running on it? You may also
I'm running Lenny on a laptop, usually connected to various wireless
routers. I recently noticed that firestarter wasn't actually starting
automatically, something to do with the network not being up when I
boot, and I don't always remember to turn it on after I connect to the
wireless router. Also, even when I am running firestarter I have to
turn it off in order to access my university via vpn.
I've pasted the results of all the tests you suggested below. I don't
understand much, but the md5sum mis-match for the rkhunter files is
definitely worrying. Am I going to have to re-install?
Thanks,
Tyler
> you can also install the debsums package, it will do a md5sum check
> against installed packages.
root:chapter3# debsums -s
debsums: no md5sums for amarok-engines
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for bc
debsums: no md5sums for bin86
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: can't open cltl file /usr/share/doc/cltl/README.Debian (No such file or directory)
debsums: can't open cltl file /usr/share/doc/cltl/copyright (No such file or directory)
debsums: can't open cltl file /usr/share/doc/cltl/changelog.gz (No such file or directory)
debsums: no md5sums for console-data
debsums: no md5sums for dc
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for debian-policy
debsums: no md5sums for dict
debsums: no md5sums for doc-debian
debsums: can't open ebook-dev-alp file /usr/share/doc/ebook-dev-alp/advanced-linux-programming.pdf.gz (No such file or directory)
debsums: no md5sums for ed
debsums: no md5sums for figlet
debsums: no md5sums for g++
debsums: no md5sums for g77
debsums: no md5sums for gawk
debsums: no md5sums for gawk-doc
debsums: no md5sums for gnupg
debsums: no md5sums for gnuplot
debsums: no md5sums for gpgv
debsums: no md5sums for hibernate
debsums: no md5sums for initscripts
debsums: no md5sums for installation-guide-i386
debsums: no md5sums for installation-report
debsums: no md5sums for klogd
debsums: no md5sums for libaudio2
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libbz2-dev
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/copyright
debsums: checksum mismatch libgcj-common file /usr/share/doc/libgcj-common/changelog.Debian.gz
debsums: no md5sums for libgdbm3
debsums: no md5sums for libgsm1
debsums: no md5sums for libhdf4g
debsums: no md5sums for libident
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncurses5-dev
debsums: no md5sums for libncursesw5
debsums: no md5sums for libnetcdf3
debsums: no md5sums for libvolume-id0
debsums: no md5sums for lynx
debsums: no md5sums for make-doc
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for mount
debsums: no md5sums for mpack
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for ncurses-term
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.cfg
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prauctex.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prcounters.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/preview.sty
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prfootnotes.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prlyx.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowbox.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prshowlabels.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtightpage.def
debsums: checksum mismatch preview-latex-style file /usr/share/texmf/tex/latex/preview/prtracingall.def
debsums: no md5sums for r-recommended
debsums: no md5sums for rcs
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/mirrors.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/os.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/programs_good.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/defaulthashes.dat
debsums: no md5sums for rsync
debsums: no md5sums for ssh
debsums: no md5sums for strace
debsums: no md5sums for sun-java5-fonts
debsums: no md5sums for sun-java5-plugin
debsums: no md5sums for svgalibg1
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for udev
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux
debsums: no md5sums for whois
>>
>
> you could also try something like this:
> lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that
> is the process id that rkhunter is reporting listening)
root:chapter3# lsof -n -p 3888
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
login 3888 root cwd DIR 0,13 4040 955 /dev
login 3888 root rtd DIR 8,3 4096 2 /
login 3888 root txt REG 8,3 35204 193543 /bin/login
login 3888 root mem REG 8,3 38416 532977 /lib/i686/cmov/libnss_files-2.6.so
login 3888 root mem REG 8,3 34352 532979 /lib/i686/cmov/libnss_nis-2.6.so
login 3888 root mem REG 8,3 30436 532975 /lib/i686/cmov/libnss_compat-2.6.so
login 3888 root mem REG 8,3 220764 596845 /lib/libsepol.so.1
login 3888 root mem REG 8,3 83512 597381 /lib/libselinux.so.1
login 3888 root mem REG 8,3 83712 532974 /lib/i686/cmov/libnsl-2.6.so
login 3888 root mem REG 8,3 9708 598622 /lib/security/pam_mail.so
login 3888 root mem REG 8,3 4244 598624 /lib/security/pam_motd.so
login 3888 root mem REG 8,3 9696 532987 /lib/i686/cmov/libutil-2.6.so
login 3888 root mem REG 8,3 8640 598618 /lib/security/pam_lastlog.so
login 3888 root mem REG 8,3 17204 598619 /lib/security/pam_limits.so
login 3888 root mem REG 8,3 51484 598645 /lib/security/pam_unix.so
login 3888 root mem REG 8,3 9684 532935 /lib/i686/cmov/libdl-2.6.so
login 3888 root mem REG 8,3 1331968 532932 /lib/i686/cmov/libc-2.6.so
login 3888 root mem REG 8,3 8264 598609 /lib/libpam_misc.so.0.79
login 3888 root mem REG 8,3 29700 596838 /lib/libpam.so.0.79
login 3888 root mem REG 8,3 21908 532934 /lib/i686/cmov/libcrypt-2.6.so
login 3888 root mem REG 8,3 11024 596837 /lib/libcap.so.1.10
login 3888 root mem REG 8,3 11232 598616 /lib/security/pam_group.so
login 3888 root mem REG 8,3 10372 598613 /lib/security/pam_env.so
login 3888 root mem REG 8,3 5908 598625 /lib/security/pam_nologin.so
login 3888 root mem REG 8,3 7144 598629 /lib/security/pam_securetty.so
login 3888 root mem REG 8,3 117336 774195 /lib/ld-2.6.so
login 3888 root 0u CHR 4,1 1059 /dev/tty1
login 3888 root 1u CHR 4,1 1059 /dev/tty1
login 3888 root 2u CHR 4,1 1059 /dev/tty1
login 3888 root 4r REG 8,3 1237 517938 /etc/passwd
login 3888 root 5u unix 0xf7ddac80 9347 socket
root:chapter3#
root:chapter3# lsof -n -p `pidof login` | sed s/\ /\,/g
COMMAND,,PID,USER,,,FD,,,TYPE,,,,,DEVICE,,,,SIZE,,,NODE,NAME
login,,,3888,root,,cwd,,,,DIR,,,,,,,0,13,,,,4040,,,,955,/dev
login,,,3888,root,,rtd,,,,DIR,,,,,,,,8,3,,,,4096,,,,,,2,/
login,,,3888,root,,txt,,,,REG,,,,,,,,8,3,,,35204,193543,/bin/login
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,38416,532977,/lib/i686/cmov/libnss_files-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,34352,532979,/lib/i686/cmov/libnss_nis-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,30436,532975,/lib/i686/cmov/libnss_compat-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,220764,596845,/lib/libsepol.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83512,597381,/lib/libselinux.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83712,532974,/lib/i686/cmov/libnsl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9708,598622,/lib/security/pam_mail.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,4244,598624,/lib/security/pam_motd.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9696,532987,/lib/i686/cmov/libutil-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8640,598618,/lib/security/pam_lastlog.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,17204,598619,/lib/security/pam_limits.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,51484,598645,/lib/security/pam_unix.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9684,532935,/lib/i686/cmov/libdl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,1331968,532932,/lib/i686/cmov/libc-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8264,598609,/lib/libpam_misc.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,29700,596838,/lib/libpam.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,21908,532934,/lib/i686/cmov/libcrypt-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11024,596837,/lib/libcap.so.1.10
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11232,598616,/lib/security/pam_group.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,10372,598613,/lib/security/pam_env.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,5908,598625,/lib/security/pam_nologin.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,7144,598629,/lib/security/pam_securetty.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,117336,774195,/lib/ld-2.6.so
login,,,3888,root,,,,0u,,,CHR,,,,,,,,4,1,,,,,,,,,,,1059,/dev/tty1
login,,,3888,root,,,,1u,,,CHR,,,,,,,,4,1,,,,,,,,,,,1059,/dev/tty1
login,,,3888,root,,,,2u,,,CHR,,,,,,,,4,1,,,,,,,,,,,1059,/dev/tty1
login,,,3888,root,,,,4r,,,REG,,,,,,,,8,3,,,,1237,517938,/etc/passwd
login,,,3888,root,,,,5u,,unix,0xf7ddac80,,,,,,,,,,,9347,socket
root:chapter3#
>
> do you have nmap installed on the local machine? you could run a nmap -sV
> localhost against it and it should report back with something as well.
root:chapter3# nmap -sV localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 4 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.67
80/tcp open http Apache httpd 1.3.34 ((Debian))
111/tcp open rpcbind 2 (rpc #100000)
113/tcp open ident OpenBSD identd
929/tcp open unknown
Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD
Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds
root:chapter3#
>
>
> Jeff
>
> -+-
> 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.
>
>
Reply to: