Ubuntu Security :: Rkhunter Suspicious Files And Folders?
Apr 1, 2010I have been running rkhunter but how do i view the /var/log/rkhunter.log? I have tried using: sudo /var/log/rkhunter.log but all i got was "Command not found?
View 6 Replies
ADVERTISEMENT
Security :: Rkhunter Found Suspicious Files?
Aug 10, 2010I got this warning in the log of rkhunter:Quote:
Checking /dev for suspicious file types [ Warning ]
[13:37:16] Warning: Suspicious file types found in /dev:
[13:37:16] /dev/shm/pulse-shm-43136623: data
[code]....
Ubuntu Security :: Ran A Chkrootkit Scan And Found - Suspicious Files And Directories ?
Aug 1, 2010I ran a chkrootkit scan and found this: The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.8/.autoreg /usr/lib/firefox 3.6.8/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo
How do I get rid of this suspicious file?
General :: Security - Running Suspicious X Programs In GNU?
Mar 18, 2010What the most harmful thing can malware program started as separate limited user account do if it has access to the X server? Network and filesystem things are already considered by chroot and netfilter.
It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?
I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?
Ubuntu Security :: Anitivirus Blocked The Suspicious Web Pages While Browsing
Dec 8, 2010I come to Ubuntu with the notion that it is much more secure than Windows. In XP I had an anti-virus, third-party firewall and sundry softwares against spybots, rootkits etc. The anitivirus blocked the suspicious web pages while browsing. I generally avoided public networks, carrying a portable internet device Do I need similar stuff with Ubuntu.
View 9 Replies View RelatedSecurity :: Trace Route From Home Showing Suspicious Hop Just Outside LAN?
Mar 15, 2011I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
Ubuntu Security :: All Files And Folders Are Read Only?
Sep 6, 2010I've recently upgraded to 10.04 and have noticed that all the files or folders I've been creating recently are read only. I can manipulate the folders on my ubuntu system itself and create new entries, folderes, subfolders, and save files. IE a payment receipt in pdf format. However if I then try to move or copy any of these to my DROBO (data storage device) the file gets the LOCK Icon on it and becomes read only. If it is a subfolder I can no longer copy to it and if it's a regular file, say a pdf or flv I can't modify it. Attempting to change the file permissions on either my ubuntu desktop or any other folder works but once it goes to the drobo I lose the ability to change it off of ---. Again, this was all working fine before doing the upgrade to 10.04. Yes I did do a clean install to 10.04.
View 6 Replies View RelatedUbuntu Security :: Set Permissions For NEW Files And Folders
Mar 14, 2011 I have a shared partition on Ubuntu, 'dm-6', if I create a new folder in it, it has 'teocomi' as owner.If I create the folder from another (windows) PC the owner is 'nobody' and from Ubuntu I have to chmod/chown it in oredr to edit its content...Is there a way to set automatically permission and owner for newly created folders and directories?
I tryed with:
Code:
sudo chmod u+s -R /media/dm-6
Security :: Suspicious Requests In Haproxy Log From Multiple Sources To The Same Target - Block?
Apr 12, 2011I have suspicious requests in my haproxy logs from multiple sources to the same target. I could deny them in /etc/hosts.deny, but there are too many to keep track of. Is there a way to deny all requests to a specific target either in haproxy or through iptables?
Here's an example of the request: Apr 12 15:11:37 127.0.0.1 haproxy[28672]: 41.105.42.150:27072 [12/Apr/2011:15:11:37.315] web_servers frontend_farm/######## 3/0/1/1/169 404 1073 - - --NI 3/3/2/1/0 0/0 "GET /images/comment_icon.gif HTTP/1.1"
I've commented out my amazon instance id for security purposes. The request is for comment_icon.gif which does not exist. All requests go to that. The source IPs are from different countries as well. Blocking a certain country won't work either. Basically, if there was a way to send all requests for comment_icon.gif to /dev/null or something it would work.
Security :: Qmail Hacked In Server \ Cannot Find Any Suspicious Script Running Using Ps Xaf Command?
Jan 3, 2011My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.Here is a sample of it:
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
[code].....
Ubuntu Security :: Clean Mask For Files And Folders Through Samba
Feb 9, 2010Still working on the mask of files for shared folder. I now have a shared folder with the exact behavior I expect :
Code:
sudo addgroup share_group
sudo mkdir /media/volume/shared_dir
sudo chgrp share_group /media/volume/shared_dir
sudo chmod g+s /media/volume/shared_dir
sudo chmod 770 /media/volume/shared_dir
sudo setfacl -d -m group::rwx /media/volume/shared_dir
sudo setfacl -d -m other::--- /media/volume/shared_dir
emma@box:/media/volume/shared_dir$ ls -al
total 8
drwxrws---+ 2 root share_group 4096 2010-02-09 12:53 .
drwxr-xr-x 8 root root 4096 2010-02-09 11:58 ..
-rw-rw----+ 1 emma share_group 0 2010-02-09 12:53 test
By default, user from the group can modify this file. That's perfect.
I have define the share in Samba this way :
Code:
[share]
comment = Shared Folder
path = /media/volume/shared_dir
browseable = yes
guest ok = no
read only = no
hide dot file = yes
# force group = share_group
# create mask = 0660
# directory mask = 0770
# force create mask = 0660
# force directory mask = 0770
When drag & dropping a file in this share, here is the default mask:
Code:
emma@box:/media/volume/shared_dir$ ls -al
total 192
drwxrws---+ 2 root share_group 4096 2010-02-09 12:54 .
drwxr-xr-x 8 root root 4096 2010-02-09 11:58 ..
-rw-rwx---+ 1 emma share_group 6148 2010-02-09 12:54 .DS_Store
-rw-rwxr--+ 1 emma share_group 176684 2009-12-21 23:33 IMG_7487.jpg
So the dropped file have execution rights for the group, and read access for other. I expected it to have the same rights than the file created directly using the touch command. I tried to play with the mask options, without success. The file has been dropped from my mac, which is a Unix like OS. I guess that some authorization access are inherited from the original file, for the user and other parts. But where does the group authorization come from ? Moreover, is is possible to define in samba a default mask, whatever the authorization of the original file?
Ubuntu Security :: Accessing NTFS-encrypted Files And Folders?
May 14, 2010After trying Truecrypt, LUKS, and Ecryptfs I decided to try NTFS encryption. Now, on a dual boot computer from Ubuntu I can browse the encrypted folders but can not open the encrypted files. All attempts produce access denials yet the Unix file permissions appear to be "0777" (owner, group, and world readable-writable).
Is there someway to get Ubuntu's NTFS software to recognize and decrypt the encrypted files? Would a different NTFS package work such as NTFS-3g?
Ubuntu Security :: Restrict A User From Seeing Hidden Files And Folders?
May 23, 2010restrict a user from seeing hidden files and folders?
View 8 Replies View RelatedUbuntu Security :: Best Way To Use Chkrootkit Or Rkhunter
Apr 14, 2010What the best method is for checking for rootkits? I have heard that it is best not to install and run these programs on the distro itself. Would it be possible to install them on another distro/partition and then use them to check for rootkits on my main partition/distro (Ubuntu)?
View 9 Replies View RelatedUbuntu Security :: Rkhunter Comes With A Warning?
Jul 13, 2011Just I install the rkhunter tool via apt-get install rkhunter. When I had run the rkhunter check, rkhunter comes with a warning about "GasKit Rootkit", i dont understand what it is
This server is install new last and maby 1 week old, so i don't understand why this happends.
Security :: Create A Backup Script For Files / Folders?
Jan 18, 2010I m going to create a backup script for my files/folders...
This script creates tar.gz of the folders/files you want.
This i want is to encrypt these .tar.gz files and when i need them to decrypt them. Does anyone have an idea on how to encrypt these files ?
my script looks like this :
Code:
BACKUPDATE=$(date +%d%m%Y)
cd /home/n3t
echo "taking Backup of your home/n3t/Downloads dir"
tar -czvf /media/disk/BACKUP/home/Downloads/$BACKUPDATE.tar.gz ./Downloads
Ubuntu Security :: Finding Two Strange-looking Files On Windows Shared Folders?
Mar 30, 2011Recently I've been finding two strange-looking files on my Windows shared folders! Their names are 'khy' and 'qffhtx.exe', they appear as hidden, and they're hard to delete!! especially the first one because it has no extension. I use Ubuntu 10.10, but I am worried because I also dual-boot Windows XP. Today I tried to open the .exe file in nautilus to see what is inside and I received the message "Unable to open archive", 'khy' is apparently an empty text file. Then I unmounted my /home partition so my files are out of the way, and I ran the .exe file using WINE,
Now I have a strange-looking applet on my top panel!! and it says "Script paused", also it says "Exit', and also Wine command prompt says something strange about "LockWindowUpdate", don't imagine it I'll post the screenshots so you can see it for yourselves. Also --and this is weird-- the virus apparently is trying to call a Windows process named csrcs.exe!! Again, I'll post the screenshots.
If this is a virus, then it's like a fish out of the water on my Ubuntu, it's probably trying to do something but it can't find its way around, it's kinda funny, but Im worried because I also dual-boot Windows XP, I'm having a hard time trying to remember the name KHY, it's a very weird acronym, it's the acronym of a disease, according to what I googled, i'm sure it's a virus!!! Anyway it's HARD to remember!!!
what can I do about this? How can I see the "script"? can Ubuntu kick its ***?how can I clean my Windows?
Security :: Just Ran Rkhunter And Got A Lot Of Red Warnings?
Jan 11, 2011You should be running a firewall. I would also periodically check for rootkits with rkhunter and chkrootkit. Antivirus is usually optional, but it depends on your network ... if you have Window$ machines, do use clamav or something.Hope I'm not distorting the thread but just ran rkhunter and got a lot of red warnings, especially worrying seems:
Quote:
Applications checks...
Applications checked: 4
Suspect applications: 3
Security :: Rkhunter Useful On Slackware 13.1?
Nov 28, 2010According to the rkhunter home page, rkhunter is tested on Slackware up to version 10.1. Does this mean it is not useful on Slackware 13.1?
View 2 Replies View RelatedUbuntu Security :: Interpret The 'dates' In Rkhunter.log?
Oct 6, 2010I've got rkhunter installed and regularly do scans immediately before & after updates & if I get warnings about 'file property updates' after the update I use 'rkhunter --propupd' to give me a clean run.I'm about to setup a ubuntu computer for my nan, I want to enable automatic security updates so she doesn't have to do anything to keep her system secure. I was planning on running rkhunter when I go to her house (about once a month) and check the dates in the resulting rkhunter.log warnings with those in the var/log/apt/history.log to see if legitimate updates caused any rkhunter warnings. I've noticed though that the 'Current file modifiation time:' in the rkhunter.log warnings are incorrect.
My system seems to be about 15 days behind the actual date, I've now run rkhunter --propupd so I have no warnings but got this one off another forum post to show what I mean:
Current file modification time: 1283341157 (01-Sep-2010 06:39:17)
I believe that the '1283341157' is the time in some strange format and the date in brackets is what rkhunter thinks it might be in human format.
1) How to interpret the 'strange date format' (1283341157 in the line above)?
2) If there's a way of configuring the date in rkhunter so that they're correct in rkhunter.log?
3) If there's a better way of keeping her system up-to-date & secure, it's her first computer & she's 86 so I think setting up automatic security updates is the way to go, it'll be one less thing to overwhelm her!
Ubuntu Security :: Warning Flagged By The 'rkhunter'
Feb 1, 2011When I scanned my Ubuntu 10.04 with rkhunter a root kit hunter toolkit, it gave following warning:
Is there something that I have to worry about.
Code:
Security :: Possible False Positive With Rkhunter
Jan 5, 2010I have just been checking one of my machines with rkhunter and got the following result:
Code:
[17:50:08] Warning: Checking for possible rootkit strings [ Warning ]
[17:50:09] Found string 'hdparm' in file '/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
[17:50:09] Found string 'hdparm' in file '/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
Using a well known search engine shows that others have come across this before: [URL] I have installed the current version of rkhunter from Debian's Unstable repo,but i still have the same result as above. I now check the rkhunter wiki,which mentions the same problem: [URL]
Quote: Here is an example on my system to remove a false positive for a certain rootkit that hit hdparm.
[Code]....
Security :: False Positive From Rkhunter?
Oct 25, 2010Is this a false positive from rkhunter?
/usr/bin/curl [ Warning ]
/usr/bin/ldd [ Warning ]
Chkrootkit came back ok. Running ClamAV and will only add that here if it finds anything. I just neve remember seeing these before. This is in Ubuntu 10.10
Security :: Rkhunter's Email With Several Warnings
Dec 23, 2010Last night I received the classic rkhunter's email with several warnings inside:
Quote:
Warning:
Warning:
Warning:
and so on..
Why rkhunter isn't able to calculate the hash of those files and compare it with the stored one?
Other strange thing: for the "good" file, the hash is often different!
For example, in the last rkhunter.log, /bin/awk is "good".
But:
Quote:
Quote:
So, if the sha1sum is different, why rkhunter tell me that awk is secure?
Ubuntu Security :: Rkhunter File Properties Changed?
Sep 12, 2010Rkhunter file properties changed
View 2 Replies View RelatedUbuntu Security :: Ran A Rkhunter Check And In Log Have Found Some Very Odd Reports?
Nov 8, 2010I recently ran a rkhunter check and in my log i have found some very odd (to me at least) reports.
/usr/bin/last [ Warning ]
Warning: The file properties have changed:
File: /usr/bin/last
[code]....
Fedora Security :: SELinux Warning On Rkhunter?
Mar 17, 2011i get this warning from selinux :
"SELinux is preventing /bin/mailx from append access on the file /var/lib/rkhunter/rkhcronlog.OmRFCZOynG."
I tried to fix it by "# /sbin/restorecon -v /var/lib/rkhunter/rkhcronlog.OmRFCZOynG" as suggested by SELinux but it comes back with another warning, but with a different /rkhcronlog.xxxxxxxxx...
i think its just a way of rkhunter logging issue -. attached here is the actual error message by selinux.
Security :: Localhost Scans With Rkhunter And Chkrootkit?
Feb 16, 2011Let's say you have a host with some kind of locally installed root kit detector/scanner.
If someone managed to get root access to that box. Wouldn't the first thing to do, before installing a root kit, be to remove any kind root kit detector?
Ubuntu Security :: Suspicious Log Or Not - Haven't Permission To View "/var/log/btmp1"
Sep 21, 2010Is there anything suspicious about this auth.log? I find the many CRON outputs and the part with gconftool weird. Also, why don't I have the permission to view "/var/log/btmp1". It has never happened before.
I'm using GNOME's log viewer.
[Code]...
Fedora Security :: Rkhunter Error - Can't Open File
Jun 4, 2009why I can't open this file.
[root@localhost fedora]# gedit /etc/var/log/rkhunter/rkhunter.log No protocol specified (gedit:24869): Gtk-WARNING **: cannot open display: :0.0 [root@localhost fedora]# gedit /var/log/rkhunter/rkhunter.log No protocol specified
There is absolutely no reason why it can't be opened. I opened it just fine earlier and now it won't open up for inspection.
