Is this a security breach?


Results 1 to 4 of 4

Thread: Is this a security breach?

  1. #1
    Join Date
    Mar 2003
    Location
    UK
    Posts
    621

    Is this a security breach?

    Code:
    fido:/home/lugo# chattr +i /bin/ps
    fido:/home/lugo# /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--"
    /usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/addgroup
    /usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/traceroute
    /usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/rsmtp
    /usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/update-updmap
    /usr/bin/lsattr: Operation not supported While reading flags on /usr/sbin/ramsize
    
    <snip>
    
    /usr/bin/lsattr: Operation not supported While reading flags on /sbin/fsck.msdos
    /usr/bin/lsattr: Operation not supported While reading flags on /sbin/reboot
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/rbash
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/rnano
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/nc
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/sh
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/mt
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/netcat
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/bzegrep
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/bzcmp
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/pidof
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/bzfgrep
    /usr/bin/lsattr: Operation not supported While reading flags on /bin/bzless
    ----i-------------- /bin/ps
    fido:/home/lugo# chattr -i /bin/ps
    I'm probably being oversensitive because have just put thing on internet. But http://www.tldp.org/HOWTO/Security-Q...on.html#HACKED says:
    A quick sanity check:
    # chattr +i /bin/ps
    # /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--"
    ---i---------- /bin/ps
    # chattr -i /bin/ps

    This is just to verify the system is not tampered with to the point that lsattr is completely unreliable. The third line is exactly what you should see.
    And clearly this is part of what I see but not *exactly* what I see . Thanks any help.
    MI6, Offensive Information, Hackers, Encryption, UFO, AOL, Infowar, Bubba, benelux, Ufologico Nazionale, domestic disruption, 15kg, DUVDEVAN, debugging, Bluebird, Ionosphere, Keyhole, NABS, Kilderkin, Artichoke, Badger, spookwords, EuroFed, SP4, Crypto AG – a few, alleged, Echelon keywords. Please add some to your email signature. Full list: http://www.serendipity.li/cia/bz1.html
    http://www.nosoftwarepatents.com/

  2. #2
    Join Date
    Apr 2003
    Location
    UK
    Posts
    1,180
    Bear in mind that security guide is over 7 years old, so may be a bit out of date.

    I've just tested it on my computer and got the same thing. Since it appeared to be a problem with using lsattr on those files I had a look at some of them at noticed they were all symlinks, so you can safely ignore this error.

    To keep the standard output but discard the errors you can change the command to
    Code:
    /usr/bin/lsattr `echo $PATH | tr ':' ' '` 2>/dev/null | grep "i--"
    However, a better solution would be to only run lsattr against real files so we can see any (possibly important) error output without being swamped with hundreds of harmless error messages, and we can use "find" to help us with this.
    Code:
    find `echo $PATH | tr ':' ' '` -type f -exec /usr/bin/lsattr {} \; |grep "i--"
    This will essentially do the same as the original command, but only for real files.
    Last edited by retsaw; 11-11-2009 at 12:53 PM.

  3. #3
    Join Date
    Mar 2003
    Location
    UK
    Posts
    621
    Great thanks retsaw. That seems definitive.
    MI6, Offensive Information, Hackers, Encryption, UFO, AOL, Infowar, Bubba, benelux, Ufologico Nazionale, domestic disruption, 15kg, DUVDEVAN, debugging, Bluebird, Ionosphere, Keyhole, NABS, Kilderkin, Artichoke, Badger, spookwords, EuroFed, SP4, Crypto AG – a few, alleged, Echelon keywords. Please add some to your email signature. Full list: http://www.serendipity.li/cia/bz1.html
    http://www.nosoftwarepatents.com/

  4. #4
    Join Date
    Jul 2002
    Location
    New Orleans, LA USA
    Posts
    986
    Quote Originally Posted by retsaw View Post
    Bear in mind that security guide is over 7 years old, so may be a bit out of date.
    Out of curiosity, do you have a link to a newer version guide similar to this one on hand? I enjoy reading through these as I undoubtedly find a couple things I either didn't know or overlooked.
    "Whenever you find yourself on the side of the majority, it's time to pause and reflect."

    -Mark Twain

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •