|

»

Debian Security

Are these scan logs dangerous ?

View: New views

8 Messages — Rating Filter: Alert me

	Are these scan logs dangerous ? by a dehqan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message In The Name Of God I'll be thankfull if you guide ; This is rkhunter result > http://pastebin.com/f6558ccd3 There is two warnings in The log ,is system Infected ? What are these warnings for ? [11:19:43] /usr/sbin/unhide-linux26 [ Warning ] [11:19:43] Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file. Should it be in rkhunter.dat CERTAINLY ? [11:19:59] Performing trojan specific checks [11:19:59] Info: Starting test name 'trojans' [11:19:59] Info: Using inetd configuration file '/etc/inetd.conf' [11:19:59] Checking for enabled inetd services [ Warning ] [11:19:59] Warning: Found enabled inetd service: ident Should it be disabled certainly ? Regards dehqan
	Re: Are these scan logs dangerous ? by Davide Prina :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message a dehqan wrote: >> [11:19:43] Warning: The file '/usr/sbin/unhide-linux26' exists on the >> system, but it is not present in the rkhunter.dat file. $ apt-file search /usr/sbin/unhide-linux26 unhide: /usr/sbin/unhide-linux26 probably you have installed unhide as suggested by rkhunter and you have installed it after the last rkhunter check. You can check the unhide package $ debsums unhide Note: this is not a 100% secure check. It use /var/lib/dpkg/info/*.md5sums stored file, so an attacker can have modified also these... or he can have cracked the debsums program When you have see that unhide is ok you can add it to rkhunter with the --propupd command option >> [11:19:59] Checking for enabled inetd services [ Warning ] >> [11:19:59] Warning: Found enabled inetd service: ident if you PC have an internet connection than it is normal to have inetd/ident service active Ciao Davide -- Dizionari: http://linguistico.sourceforge.net/wiki Perché microsoft continua a compiere azioni illegali?: http://linguistico.sf.net/wiki/doku.php?id=traduzioni:ms_illegal GNU/Linux User: 302090: http://counter.li.org Non autorizzo la memorizzazione del mio indirizzo su outlook -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Are these scan logs dangerous ? by a dehqan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message In The Name Of God Thanks alot for your attentions ; Yes , after rkhunter --propupd ,unhide has been ok . But about ident service ,see > # chkconfig --level 23 identd off identd: unknown service But port 113 auth is open ! So which service has opened port 113 ? On Sun, Jul 5, 2009 at 10:35 PM, lee <lee@...> wrote: On Sun, Jul 05, 2009 at 10:41:40AM +0200, Davide Prina wrote: >>> [11:19:59] Checking for enabled inetd services [ Warning ] >>> [11:19:59] Warning: Found enabled inetd service: ident > > if you PC have an internet connection than it is normal to have > inetd/ident service active You can turn off identd. The port for ident should be closed at least to the outside anyway, so it doesn't matter if you have an internet connection or not. Otherwise, it doesn't seem to serve any purpose. Exim might try to make ident calls, but that can be turned off. -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@... Regards dehqan
	Re: Are these scan logs dangerous ? by Brian Bilbrey :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Jul 5, 2009, at 3:26 PM, a dehqan wrote: ... > > > But about ident service ,see > > > # chkconfig --level 23 identd off > identd: unknown service > > But port 113 auth is open ! So which service has opened port 113 ? Remember your initial warning messages from rhunter: >>> [11:19:59] Checking for enabled inetd services [ Warning ] >>> [11:19:59] Warning: Found enabled inetd service: ident So, inetd superserver is probably where you want to look. Either inetd.conf or xinetd.conf or xinetd.d/* ... But remember, there are legitimate reasons to be running ident. best, .brian -- Brian Bilbrey : bilbrey@... "Regulatory science is to science as bear traps are to bears." Dr. Jerry Pournelle -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Are these scan logs dangerous ? by Henri Salo-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 5 Jul 2009 23:56:36 +0430 a dehqan <dehqan65@...> wrote: > In The Name Of God > > Thanks alot for your attentions ; > Yes , after rkhunter --propupd ,unhide has been ok . > > But about ident service ,see > > > # chkconfig --level 23 identd off > > identd: unknown service > > > > But port 113 auth is open ! So which service has opened port 113 ? netstat -lnop\|grep ":113" --- Henri Salo -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Are these scan logs dangerous ? by Davide Prina :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message a dehqan wrote: please quote :-) > # chkconfig --level 23 identd off >> identd: unknown service probably you have mistaken inetd with identd > But port 113 auth is open ! So which service has opened port 113 ? from root # netstat -putan to see all the service listening to see only 113 port: # fuser -n tcp 113 You can use also lsoft # lsof -i -n # lsof -i TCP:113 Ciao Davide -- Dizionari: http://linguistico.sourceforge.net/wiki Browser: http://www.mozilla.org/products/firefox GNU/Linux User: 302090: http://counter.li.org Non autorizzo la memorizzazione del mio indirizzo su outlook -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Are these scan logs dangerous ? by a dehqan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message In The Name Of God Thanks alot for your attentions ; Yes ,service is inetd .How can port 113 be closed ? #netstat -lnop\|grep ":113" tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 3550/inetd off (0.00/0/0) lsof -i :113 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME inetd 3550 root 5u IPv4 9108 TCP *:auth (LISTEN) Regards dehqan
	Re: Are these scan logs dangerous ? by Riku Valli :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message a dehqan wrote: > In The Name Of God > > Thanks alot for your attentions ; > Yes ,service is inetd .How can port 113 be closed ? You can example close all services with command update-inetd and when all services were disabled restart openbsd-inetd. Service isn't start if all services are diasbled. Regards, Riku > > #netstat -lnop\|grep ":113" > tcp 0 0 0.0.0.0:113 <http://0.0.0.0:113> > 0.0.0.0:* LISTEN 3550/inetd off (0.00/0/0) > > > lsof -i :113 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > inetd 3550 root 5u IPv4 9108 TCP *:auth (LISTEN) > > > Regards dehqan -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...