Re: /bin/login listening?

On Sun, Jul 29, 2007 at 03:56:08PM +0000, Tyler Smith wrote:  

> So if I'm compromised nothing is safe, and the only guaranteed way to
> clear this up is to format my harddrive and reinstall. Given that the
> only evidence of a problem is a warning about /bin/login listening
> from rkhunter, which happened only once, and I have had no other
> problems with my net connection or general performance of my laptop,
> let alone mysterious withdrawals from my bank account or other signs
> of stolen passwords, what should I be doing?
>
> >From the advice received and what I'm reading, I'm getting two very
> different messages - I must reinstall to be 100% certain that I'm
> safe, and while I can't be 100% certain I'm safe it's pretty unlikely
> that I have a real problem.
>
> What would you do in my situation?
>

Try this:

Boot the box from something like the install CD, go to a shell, mount your / partition ro, noexec.

I think the install CD has md5sum installed. Run:

        #md5sum /bin/login.

On my i386, I get:

2ee32ff74e474c4d9fc9df6f1460980f /bin/login

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

If /bin/login is fine, then I'd forget about it. If it differs, I'd wipe the drive and reinstall; from backups before your first indication of a problem. Then examine the difference between that backup's data and your most recent backup.

Actually, to put your mind at ease, I've attached a file bin-MD5SUMS which is the output of:

        $md5sum /bin/* > bin-MD5SUMS

Put this onto a floppy and mount it when you boot your install CD. Then edit it so that, for example the /bin/login reads /mnt/bin/login.

You can then verify the whole /bin with

        #md5sum -c bin-MD5SUMS

Here's the file, and good luck.

Doug.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


text/plain attachment: bin-MD5SUMS