| 1 |
>> > Thanks Mick. My host is big with multiple data centers of their own. |
| 2 |
>> > They did exactly as I asked and I'm running on new RAM. There was a |
| 3 |
>> > problem bringing my system back online and the cause was purported to |
| 4 |
>> > be an unseated ethernet cable. I handed over my root password as I |
| 5 |
>> > was requested to do, and then started to get paranoid. I suppose I |
| 6 |
>> > shouldn't though because with physical access to my machine they |
| 7 |
>> > pretty much have full access anyway, right? |
| 8 |
> |
| 9 |
>> Usually, physical access means they either have it or can get it pretty |
| 10 |
>> quick. Boot a CD/DVD, mount the partitions, chroot in, change password |
| 11 |
>> and reboot. Then, you don't have the password but they do. |
| 12 |
> |
| 13 |
> That's pretty obvious though. Physical access allows them to change your |
| 14 |
> password but not read it, so you'd know pretty soon if they'd been up to |
| 15 |
> anything. |
| 16 |
> |
| 17 |
> If they really do need the root password, you have to give it to them, |
| 18 |
> but that doesn't stop you changing it, and running a rootkit scan, as |
| 19 |
> soon as they've finished with it. |
| 20 |
|
| 21 |
I've run chkrootkit, but I noticed: |
| 22 |
|
| 23 |
The file of stored file properties (rkhunter.dat) does not exist, and |
| 24 |
so must be created. To do this type in 'rkhunter --propupd'. |
| 25 |
|
| 26 |
I thought the best practice with a rootkit checker like chkrootkit was |
| 27 |
to not leave it installed on the system so you can run it as a clean |
| 28 |
install when the time comes? |
| 29 |
|
| 30 |
Do any of these warnings sound an alarm for anyone? I think the SSH |
| 31 |
warnings are OK because I have a normal user specified with AllowUsers |
| 32 |
and the config file says: |
| 33 |
|
| 34 |
# The default requires explicit activation of protocol 1 |
| 35 |
#Protocol 2 |
| 36 |
|
| 37 |
Here are the warnings: |
| 38 |
|
| 39 |
Warning: The command '/usr/bin/ldd' has been replaced by a script: |
| 40 |
/usr/bin/ldd: Bourne-Again shell script text executable |
| 41 |
|
| 42 |
Warning: The command '/usr/bin/whatis' has been replaced by a script: |
| 43 |
/usr/bin/whatis: POSIX shell script text executable |
| 44 |
|
| 45 |
Warning: The command '/usr/bin/lwp-request' has been replaced by a |
| 46 |
script: /usr/bin/lwp-request: a /usr/bin/perl -w script text |
| 47 |
executable |
| 48 |
|
| 49 |
Warning: No output found from the lsmod command or the /proc/modules file: |
| 50 |
/proc/modules output: |
| 51 |
lsmod output: |
| 52 |
|
| 53 |
Warning: The SSH configuration option 'PermitRootLogin' has not been |
| 54 |
set. The default value may be 'yes', to allow root access. |
| 55 |
|
| 56 |
Warning: The SSH configuration option 'Protocol' has not been set. The |
| 57 |
default value may be '2,1', to allow the use of protocol version 1. |
| 58 |
|
| 59 |
Warning: Hidden directory found: /dev/.udev |
| 60 |
|
| 61 |
- Grant |
Archives