1 |
>> > Thanks Mick. My host is big with multiple data centers of their own. |
2 |
>> > They did exactly as I asked and I'm running on new RAM. There was a |
3 |
>> > problem bringing my system back online and the cause was purported to |
4 |
>> > be an unseated ethernet cable. I handed over my root password as I |
5 |
>> > was requested to do, and then started to get paranoid. I suppose I |
6 |
>> > shouldn't though because with physical access to my machine they |
7 |
>> > pretty much have full access anyway, right? |
8 |
> |
9 |
>> Usually, physical access means they either have it or can get it pretty |
10 |
>> quick. Boot a CD/DVD, mount the partitions, chroot in, change password |
11 |
>> and reboot. Then, you don't have the password but they do. |
12 |
> |
13 |
> That's pretty obvious though. Physical access allows them to change your |
14 |
> password but not read it, so you'd know pretty soon if they'd been up to |
15 |
> anything. |
16 |
> |
17 |
> If they really do need the root password, you have to give it to them, |
18 |
> but that doesn't stop you changing it, and running a rootkit scan, as |
19 |
> soon as they've finished with it. |
20 |
|
21 |
I've run chkrootkit, but I noticed: |
22 |
|
23 |
The file of stored file properties (rkhunter.dat) does not exist, and |
24 |
so must be created. To do this type in 'rkhunter --propupd'. |
25 |
|
26 |
I thought the best practice with a rootkit checker like chkrootkit was |
27 |
to not leave it installed on the system so you can run it as a clean |
28 |
install when the time comes? |
29 |
|
30 |
Do any of these warnings sound an alarm for anyone? I think the SSH |
31 |
warnings are OK because I have a normal user specified with AllowUsers |
32 |
and the config file says: |
33 |
|
34 |
# The default requires explicit activation of protocol 1 |
35 |
#Protocol 2 |
36 |
|
37 |
Here are the warnings: |
38 |
|
39 |
Warning: The command '/usr/bin/ldd' has been replaced by a script: |
40 |
/usr/bin/ldd: Bourne-Again shell script text executable |
41 |
|
42 |
Warning: The command '/usr/bin/whatis' has been replaced by a script: |
43 |
/usr/bin/whatis: POSIX shell script text executable |
44 |
|
45 |
Warning: The command '/usr/bin/lwp-request' has been replaced by a |
46 |
script: /usr/bin/lwp-request: a /usr/bin/perl -w script text |
47 |
executable |
48 |
|
49 |
Warning: No output found from the lsmod command or the /proc/modules file: |
50 |
/proc/modules output: |
51 |
lsmod output: |
52 |
|
53 |
Warning: The SSH configuration option 'PermitRootLogin' has not been |
54 |
set. The default value may be 'yes', to allow root access. |
55 |
|
56 |
Warning: The SSH configuration option 'Protocol' has not been set. The |
57 |
default value may be '2,1', to allow the use of protocol version 1. |
58 |
|
59 |
Warning: Hidden directory found: /dev/.udev |
60 |
|
61 |
- Grant |