Re: /bin/login listening?
On Sun, Jul 29, 2007 at 03:56:08PM +0000, Tyler Smith wrote:
> So if I'm compromised nothing is safe, and the only guaranteed way to
> clear this up is to format my harddrive and reinstall. Given that the
> only evidence of a problem is a warning about /bin/login listening
> from rkhunter, which happened only once, and I have had no other
> problems with my net connection or general performance of my laptop,
> let alone mysterious withdrawals from my bank account or other signs
> of stolen passwords, what should I be doing?
>
> >From the advice received and what I'm reading, I'm getting two very
> different messages - I must reinstall to be 100% certain that I'm
> safe, and while I can't be 100% certain I'm safe it's pretty unlikely
> that I have a real problem.
>
> What would you do in my situation?
>
Try this:
Boot the box from something like the install CD, go to a shell, mount
your / partition ro, noexec.
I think the install CD has md5sum installed. Run:
#md5sum /bin/login.
On my i386, I get:
2ee32ff74e474c4d9fc9df6f1460980f /bin/login
If /bin/login is fine, then I'd forget about it.
If it differs, I'd wipe the drive and reinstall; from backups before
your first indication of a problem. Then examine the difference between
that backup's data and your most recent backup.
Actually, to put your mind at ease, I've attached a file bin-MD5SUMS
which is the output of:
$md5sum /bin/* > bin-MD5SUMS
Put this onto a floppy and mount it when you boot your install CD. Then
edit it so that, for example the /bin/login reads /mnt/bin/login.
You can then verify the whole /bin with
#md5sum -c bin-MD5SUMS
Here's the file, and good luck.
Doug.
be2bfd8feb6bfb826593c087817be9d5 /bin/arch
72e1a7bbf8478e3dd08693bec6f4c50e /bin/bash
01fcfa4919953518bbbc97b2637a27ad /bin/bunzip2
a60f3c2c4dcedeec5b0e6cce4fd777c8 /bin/busybox
01fcfa4919953518bbbc97b2637a27ad /bin/bzcat
dfaba3a92070a1881dd8ec64a26069a4 /bin/bzcmp
dfaba3a92070a1881dd8ec64a26069a4 /bin/bzdiff
2b11565d85da178b3a1942a22d20c624 /bin/bzegrep
ea97408418bc4c3a77c0048003198acc /bin/bzexe
2b11565d85da178b3a1942a22d20c624 /bin/bzfgrep
2b11565d85da178b3a1942a22d20c624 /bin/bzgrep
01fcfa4919953518bbbc97b2637a27ad /bin/bzip2
d231db40e391032509c4c4782653cb6e /bin/bzip2recover
e243255b6cf3b9403df53cb9cd6176e1 /bin/bzless
e243255b6cf3b9403df53cb9cd6176e1 /bin/bzmore
c12e12da393d90fba841aa678aef5094 /bin/cat
117baf5142bb451a8a0c501cdbf43726 /bin/chgrp
aa1ab822de26dd9d455c8ac9163ba30e /bin/chmod
b28ba00d8345041e4955ed970ed174ee /bin/chown
a096cd237ee340b66f84a7867a2da2a7 /bin/cp
901cc68b293e3249a681ab4f396d1cd4 /bin/cpio
a9a89a3beefb30729ea4ae80d6335cb6 /bin/csh
2af9162bd0c10ecd3b77983a56d79f6c /bin/date
02aec16981ffee391d957a28cd1190af /bin/dd
53f20746bb14718e54a65b86510bcb82 /bin/df
1c4d91adb9b1fa383247d0334a389975 /bin/dir
5c54d6f8b6af629e4be985f52c21adb6 /bin/dmesg
638cead25982bc413a287e30a6b3fea4 /bin/dnsdomainname
177e77531159a20fbcf741136c02ce05 /bin/echo
73a8a6f1948231171a6586aef43f26a6 /bin/ed
1a1c4e75e82a51bc570350aa22184913 /bin/egrep
28b23332333e80869b5810c4105392c6 /bin/false
01b9524c8e60a5e167132a6e85452cd0 /bin/fgrep
5d3ff43e62be5f980abeb4100a018ff1 /bin/fuser
d274e7a42d015822ea25fb08ed19262c /bin/grep
df40328a2c30b3dd195ef2f55d60cef4 /bin/gunzip
cd4aee768f1e3db05aac2b3f5a6219ae /bin/gzexe
df40328a2c30b3dd195ef2f55d60cef4 /bin/gzip
638cead25982bc413a287e30a6b3fea4 /bin/hostname
01c8af0fc0fe16eab70368389a5482bb /bin/ip
aca6202f58b4e514ac9c0501505c2076 /bin/kernelversion
083ec3e06bc9de75e00fcb6d6292b378 /bin/kill
2f67f424360319c65ab68c27984f4d06 /bin/ln
2ee32ff74e474c4d9fc9df6f1460980f /bin/login
3a409d2e7d87fa96c89650c6aec35ac7 /bin/ls
8903244917679b8f5a19909e7e5d0fcc /bin/lsmod
432c653790fe9d2562f0894bb922d46d /bin/lsmod.modutils
e89d8739e436bf722668b838476d65cb /bin/lspci
2b71253ac2aa883f6b65cc4d636fe8c8 /bin/mkdir
95887a0809f5a6de47e26d8b60ae28b1 /bin/mknod
641ec128955d32c613c201d45a9bf224 /bin/mktemp
cc51af5002e2d41a84aecb14fc9cbd79 /bin/more
27c66448968d6775d3f61ee07938938c /bin/mount
dcfe6fa0df8251d56c7f6cd738181003 /bin/mountpoint
0658725a01811e897497f24838c79e75 /bin/mt
0658725a01811e897497f24838c79e75 /bin/mt-gnu
45fc16400d06a4cf9d69c8d619f9104b /bin/mv
68de2870b06443403332c81022010a24 /bin/nano
f0169e77f969e17e013c295cd74346a6 /bin/nc
f0169e77f969e17e013c295cd74346a6 /bin/netcat
e00b5e934dfa34a968b33cb2566ecdec /bin/netstat
3aba7c43d7978452e790220b0deb0e4e /bin/pidof
7001afa26625989c85d05be0d4f93e4e /bin/ping
d420db19497b56e632756884efd244e9 /bin/ping6
6140d156296de35a86fd154081b00f26 /bin/ps
b7ec22f9d3040fff114acfd4f6d226e7 /bin/pwd
72e1a7bbf8478e3dd08693bec6f4c50e /bin/rbash
07e433957de1c39329ebd81d61ca44a2 /bin/readlink
bdd022ca8ec797544b3eddb817ce97f5 /bin/rm
34dd0e07f6abdd1531c7c0953752ab1d /bin/rmdir
68de2870b06443403332c81022010a24 /bin/rnano
1622c90a9570641dd182d0eff4e9d95b /bin/run-parts
d9be68996d0b87faeb83d1ad8951a481 /bin/sash
1fc6cd13e8a249ec91f7e449f588d6a8 /bin/sed
8501cfbf10055e8d98d82248f8397c08 /bin/setpci
e15427bde126b4204676456a0e304634 /bin/setserial
72e1a7bbf8478e3dd08693bec6f4c50e /bin/sh
ade32c6b4e49cc3d9c9187b341ab677d /bin/sleep
8ff11a1d2fa865a1df52f4801b2146ce /bin/stty
1381ae1ac77b512258657b096522bb6a /bin/su
ed35991c79e7f27556be284b94a9230e /bin/sync
3d4ff79b35e99e6d898e1b78d34816fb /bin/tar
a9a89a3beefb30729ea4ae80d6335cb6 /bin/tcsh
03e5794e352ebc66b02279b1838321a7 /bin/tempfile
dc38f34bdd3f285ea11ebcf806b4c9ad /bin/touch
8faf4fa090c99faed87c032228319a3d /bin/true
e85bfe5ccc222ac49fb9093e1234ea0d /bin/umount
4aae597c9a56e81b9ed4645e07e56e17 /bin/uname
df40328a2c30b3dd195ef2f55d60cef4 /bin/uncompress
91e330c4878314f25300c3300a39ed40 /bin/vdir
5091b25f65a1d8929536c814b314b1c8 /bin/which
df40328a2c30b3dd195ef2f55d60cef4 /bin/zcat
45cde7b4135720aa8404415b34e4dc4b /bin/zcmp
45cde7b4135720aa8404415b34e4dc4b /bin/zdiff
7bdd4c28c529181605b96fca78fbd030 /bin/zegrep
7bdd4c28c529181605b96fca78fbd030 /bin/zfgrep
51690321bd9c5b12bb00af25ecccfb66 /bin/zforce
7bdd4c28c529181605b96fca78fbd030 /bin/zgrep
0343bf4b663154853e29d449f9860e87 /bin/zless
f5d294929112a8b11d281fadc62ed4c3 /bin/zmore
85e1a8bc1c27dcf3ca343e34dcae2192 /bin/znew
Reply to: