PDA

Click to See Complete Forum and Search --> : Is this a security breach?

lugoteehalt
11-10-2009, 10:20 AM
fido:/home/lugo# chattr +i /bin/ps
fido:/home/lugo# /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--"
/usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/addgroup
/usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/traceroute
/usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/rsmtp
/usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/update-updmap
/usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/ramsize

<snip>

/usr/bin/lsattr: Operation not supported While reading flags on /sbin/fsck.msdos
/usr/bin/lsattr: Operation not supported While reading flags on /sbin/reboot
/usr/bin/lsattr: Operation not supported While reading flags on /bin/rbash
/usr/bin/lsattr: Operation not supported While reading flags on /bin/rnano
/usr/bin/lsattr: Operation not supported While reading flags on /bin/nc
/usr/bin/lsattr: Operation not supported While reading flags on /bin/sh
/usr/bin/lsattr: Operation not supported While reading flags on /bin/mt
/usr/bin/lsattr: Operation not supported While reading flags on /bin/netcat
/usr/bin/lsattr: Operation not supported While reading flags on /bin/bzegrep
/usr/bin/lsattr: Operation not supported While reading flags on /bin/bzcmp
/usr/bin/lsattr: Operation not supported While reading flags on /bin/pidof
/usr/bin/lsattr: Operation not supported While reading flags on /bin/bzfgrep
/usr/bin/lsattr: Operation not supported While reading flags on /bin/bzless
----i-------------- /bin/ps
fido:/home/lugo# chattr -i /bin/ps
I'm probably being oversensitive because have just put thing on internet. But www.tldp.org/HOWTO/Security-Quickstart-HOWTO/intrusion.html#HACKED says: A quick sanity check:
# chattr +i /bin/ps
# /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--"
---i---------- /bin/ps
# chattr -i /bin/ps

This is just to verify the system is not tampered with to the point that lsattr is completely unreliable. The third line is exactly what you should see.And clearly this is part of what I see but not *exactly* what I see . Thanks any help.
retsaw
11-11-2009, 12:50 PM
Bear in mind that security guide is over 7 years old, so may be a bit out of date.

I've just tested it on my computer and got the same thing. Since it appeared to be a problem with using lsattr on those files I had a look at some of them at noticed they were all symlinks, so you can safely ignore this error.

To keep the standard output but discard the errors you can change the command to/usr/bin/lsattr `echo $PATH | tr ':' ' '` 2>/dev/null | grep "i--"However, a better solution would be to only run lsattr against real files so we can see any (possibly important) error output without being swamped with hundreds of harmless error messages, and we can use "find" to help us with this.find `echo $PATH | tr ':' ' '` -type f -exec /usr/bin/lsattr {} \; |grep "i--"This will essentially do the same as the original command, but only for real files.
lugoteehalt
11-12-2009, 07:19 AM
Great thanks retsaw. That seems definitive.
trilarian
11-12-2009, 11:58 AM
Bear in mind that security guide is over 7 years old, so may be a bit out of date.

Out of curiosity, do you have a link to a newer version guide similar to this one on hand? I enjoy reading through these as I undoubtedly find a couple things I either didn't know or overlooked.