Re: /bin/login listening?

To: debian-user@lists.debian.org
Subject: Re: /bin/login listening?
From: Douglas Allan Tutty <dtutty@porchlight.ca>
Date: Sun, 29 Jul 2007 12:35:03 -0400
Message-id: <[🔎] 20070729163503.GA9535@titan>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] slrnfaphjv.m57.tyler.smith@blackbart.mynetwork>
References: <[🔎] Pine.LNX.4.62.0707281325370.12185@proto.technobounce.com> <[🔎] slrnfanfds.kfc.tyler.smith@blackbart.mynetwork> <[🔎] Pine.LNX.4.62.0707281449380.12185@proto.technobounce.com> <[🔎] slrnfao33b.ou4.tyler.smith@blackbart.mynetwork> <[🔎] Pine.LNX.4.62.0707282241270.12185@proto.technobounce.com> <[🔎] slrnfap6jn.kqu.tyler.smith@blackbart.mynetwork> <[🔎] 20070729132127.GC6292@titan> <[🔎] slrnfapa2p.lgv.tyler.smith@blackbart.mynetwork> <[🔎] 20070729102339.5b52d252.celejar@gmail.com> <[🔎] slrnfaphjv.m57.tyler.smith@blackbart.mynetwork>

On Sun, Jul 29, 2007 at 03:56:08PM +0000, Tyler Smith wrote:

> So if I'm compromised nothing is safe, and the only guaranteed way to
> clear this up is to format my harddrive and reinstall. Given that the
> only evidence of a problem is a warning about /bin/login listening
> from rkhunter, which happened only once, and I have had no other
> problems with my net connection or general performance of my laptop,
> let alone mysterious withdrawals from my bank account or other signs
> of stolen passwords, what should I be doing? 
> 
> >From the advice received and what I'm reading, I'm getting two very
> different messages - I must reinstall to be 100% certain that I'm
> safe, and while I can't be 100% certain I'm safe it's pretty unlikely
> that I have a real problem.
> 
> What would you do in my situation?
> 

Try this:

Boot the box from something like the install CD, go to a shell, mount
your / partition ro, noexec.

I think the install CD has md5sum installed.  Run:
	#md5sum /bin/login.

On my i386, I get:

2ee32ff74e474c4d9fc9df6f1460980f /bin/login

If /bin/login is fine, then I'd forget about it.
If it differs, I'd wipe the drive and reinstall; from backups before
your first indication of a problem.  Then examine the difference between
that backup's data and your most recent backup.

Actually, to put your mind at ease, I've attached a file bin-MD5SUMS
which is the output of:

	$md5sum /bin/* > bin-MD5SUMS

Put this onto a floppy and mount it when you boot your install CD.  Then
edit it so that, for example the /bin/login reads /mnt/bin/login.

You can then verify the whole /bin with
	#md5sum -c bin-MD5SUMS

Here's the file, and good luck.

Doug.

be2bfd8feb6bfb826593c087817be9d5  /bin/arch
72e1a7bbf8478e3dd08693bec6f4c50e  /bin/bash
01fcfa4919953518bbbc97b2637a27ad  /bin/bunzip2
a60f3c2c4dcedeec5b0e6cce4fd777c8  /bin/busybox
01fcfa4919953518bbbc97b2637a27ad  /bin/bzcat
dfaba3a92070a1881dd8ec64a26069a4  /bin/bzcmp
dfaba3a92070a1881dd8ec64a26069a4  /bin/bzdiff
2b11565d85da178b3a1942a22d20c624  /bin/bzegrep
ea97408418bc4c3a77c0048003198acc  /bin/bzexe
2b11565d85da178b3a1942a22d20c624  /bin/bzfgrep
2b11565d85da178b3a1942a22d20c624  /bin/bzgrep
01fcfa4919953518bbbc97b2637a27ad  /bin/bzip2
d231db40e391032509c4c4782653cb6e  /bin/bzip2recover
e243255b6cf3b9403df53cb9cd6176e1  /bin/bzless
e243255b6cf3b9403df53cb9cd6176e1  /bin/bzmore
c12e12da393d90fba841aa678aef5094  /bin/cat
117baf5142bb451a8a0c501cdbf43726  /bin/chgrp
aa1ab822de26dd9d455c8ac9163ba30e  /bin/chmod
b28ba00d8345041e4955ed970ed174ee  /bin/chown
a096cd237ee340b66f84a7867a2da2a7  /bin/cp
901cc68b293e3249a681ab4f396d1cd4  /bin/cpio
a9a89a3beefb30729ea4ae80d6335cb6  /bin/csh
2af9162bd0c10ecd3b77983a56d79f6c  /bin/date
02aec16981ffee391d957a28cd1190af  /bin/dd
53f20746bb14718e54a65b86510bcb82  /bin/df
1c4d91adb9b1fa383247d0334a389975  /bin/dir
5c54d6f8b6af629e4be985f52c21adb6  /bin/dmesg
638cead25982bc413a287e30a6b3fea4  /bin/dnsdomainname
177e77531159a20fbcf741136c02ce05  /bin/echo
73a8a6f1948231171a6586aef43f26a6  /bin/ed
1a1c4e75e82a51bc570350aa22184913  /bin/egrep
28b23332333e80869b5810c4105392c6  /bin/false
01b9524c8e60a5e167132a6e85452cd0  /bin/fgrep
5d3ff43e62be5f980abeb4100a018ff1  /bin/fuser
d274e7a42d015822ea25fb08ed19262c  /bin/grep
df40328a2c30b3dd195ef2f55d60cef4  /bin/gunzip
cd4aee768f1e3db05aac2b3f5a6219ae  /bin/gzexe
df40328a2c30b3dd195ef2f55d60cef4  /bin/gzip
638cead25982bc413a287e30a6b3fea4  /bin/hostname
01c8af0fc0fe16eab70368389a5482bb  /bin/ip
aca6202f58b4e514ac9c0501505c2076  /bin/kernelversion
083ec3e06bc9de75e00fcb6d6292b378  /bin/kill
2f67f424360319c65ab68c27984f4d06  /bin/ln
2ee32ff74e474c4d9fc9df6f1460980f  /bin/login
3a409d2e7d87fa96c89650c6aec35ac7  /bin/ls
8903244917679b8f5a19909e7e5d0fcc  /bin/lsmod
432c653790fe9d2562f0894bb922d46d  /bin/lsmod.modutils
e89d8739e436bf722668b838476d65cb  /bin/lspci
2b71253ac2aa883f6b65cc4d636fe8c8  /bin/mkdir
95887a0809f5a6de47e26d8b60ae28b1  /bin/mknod
641ec128955d32c613c201d45a9bf224  /bin/mktemp
cc51af5002e2d41a84aecb14fc9cbd79  /bin/more
27c66448968d6775d3f61ee07938938c  /bin/mount
dcfe6fa0df8251d56c7f6cd738181003  /bin/mountpoint
0658725a01811e897497f24838c79e75  /bin/mt
0658725a01811e897497f24838c79e75  /bin/mt-gnu
45fc16400d06a4cf9d69c8d619f9104b  /bin/mv
68de2870b06443403332c81022010a24  /bin/nano
f0169e77f969e17e013c295cd74346a6  /bin/nc
f0169e77f969e17e013c295cd74346a6  /bin/netcat
e00b5e934dfa34a968b33cb2566ecdec  /bin/netstat
3aba7c43d7978452e790220b0deb0e4e  /bin/pidof
7001afa26625989c85d05be0d4f93e4e  /bin/ping
d420db19497b56e632756884efd244e9  /bin/ping6
6140d156296de35a86fd154081b00f26  /bin/ps
b7ec22f9d3040fff114acfd4f6d226e7  /bin/pwd
72e1a7bbf8478e3dd08693bec6f4c50e  /bin/rbash
07e433957de1c39329ebd81d61ca44a2  /bin/readlink
bdd022ca8ec797544b3eddb817ce97f5  /bin/rm
34dd0e07f6abdd1531c7c0953752ab1d  /bin/rmdir
68de2870b06443403332c81022010a24  /bin/rnano
1622c90a9570641dd182d0eff4e9d95b  /bin/run-parts
d9be68996d0b87faeb83d1ad8951a481  /bin/sash
1fc6cd13e8a249ec91f7e449f588d6a8  /bin/sed
8501cfbf10055e8d98d82248f8397c08  /bin/setpci
e15427bde126b4204676456a0e304634  /bin/setserial
72e1a7bbf8478e3dd08693bec6f4c50e  /bin/sh
ade32c6b4e49cc3d9c9187b341ab677d  /bin/sleep
8ff11a1d2fa865a1df52f4801b2146ce  /bin/stty
1381ae1ac77b512258657b096522bb6a  /bin/su
ed35991c79e7f27556be284b94a9230e  /bin/sync
3d4ff79b35e99e6d898e1b78d34816fb  /bin/tar
a9a89a3beefb30729ea4ae80d6335cb6  /bin/tcsh
03e5794e352ebc66b02279b1838321a7  /bin/tempfile
dc38f34bdd3f285ea11ebcf806b4c9ad  /bin/touch
8faf4fa090c99faed87c032228319a3d  /bin/true
e85bfe5ccc222ac49fb9093e1234ea0d  /bin/umount
4aae597c9a56e81b9ed4645e07e56e17  /bin/uname
df40328a2c30b3dd195ef2f55d60cef4  /bin/uncompress
91e330c4878314f25300c3300a39ed40  /bin/vdir
5091b25f65a1d8929536c814b314b1c8  /bin/which
df40328a2c30b3dd195ef2f55d60cef4  /bin/zcat
45cde7b4135720aa8404415b34e4dc4b  /bin/zcmp
45cde7b4135720aa8404415b34e4dc4b  /bin/zdiff
7bdd4c28c529181605b96fca78fbd030  /bin/zegrep
7bdd4c28c529181605b96fca78fbd030  /bin/zfgrep
51690321bd9c5b12bb00af25ecccfb66  /bin/zforce
7bdd4c28c529181605b96fca78fbd030  /bin/zgrep
0343bf4b663154853e29d449f9860e87  /bin/zless
f5d294929112a8b11d281fadc62ed4c3  /bin/zmore
85e1a8bc1c27dcf3ca343e34dcae2192  /bin/znew

Reply to:

Follow-Ups:
- Re: /bin/login listening?
  - From: Mathias Brodala <info@noctus.net>

References:
- Re: /bin/login listening?
  - From: Jeff D <fixedored@gmail.com>
- Re: /bin/login listening?
  - From: Tyler Smith <tyler.smith@mail.mcgill.ca>
- Re: /bin/login listening?
  - From: Jeff D <fixedored@gmail.com>
- Re: /bin/login listening?
  - From: Tyler Smith <tyler.smith@mail.mcgill.ca>
- Re: /bin/login listening?
  - From: Jeff D <fixedored@gmail.com>
- Re: /bin/login listening?
  - From: Tyler Smith <tyler.smith@mail.mcgill.ca>
- Re: /bin/login listening?
  - From: Douglas Allan Tutty <dtutty@porchlight.ca>
- Re: /bin/login listening?
  - From: Tyler Smith <tyler.smith@mail.mcgill.ca>
- Re: /bin/login listening?
  - From: Celejar <celejar@gmail.com>
- Re: /bin/login listening?
  - From: Tyler Smith <tyler.smith@mail.mcgill.ca>

Prev by Date: Re: /bin/login listening?
Next by Date: essential services? ssh, nfs?
Previous by thread: Re: /bin/login listening?
Next by thread: Re: /bin/login listening?
Index(es):
- Date
- Thread