login listening?

Tyler Smith Sat, 28 Jul 2007 20:10:17 -0700

On 2007-07-28, Jeff D <[EMAIL PROTECTED]> wrote:
> also, what version of debian are you running?  Is this machine behind a 
> firewall or do you have a firewall running on it?  You may also


I'm running Lenny on a laptop, usually connected to various wireless
routers. I recently noticed that firestarter wasn't actually starting
automatically, something to do with the network not being up when I
boot, and I don't always remember to turn it on after I connect to the
wireless router. Also, even when I am running firestarter I have to
turn it off in order to access my university via vpn.

I've pasted the results of all the tests you suggested below. I don't
understand much, but the md5sum mis-match for the rkhunter files is
definitely worrying. Am I going to have to re-install?

Thanks,

Tyler


> you can also install the debsums package, it will do a md5sum check 
> against installed packages.

root:chapter3# debsums -s
debsums: no md5sums for amarok-engines
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for bc
debsums: no md5sums for bin86
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: can't open cltl file /usr/share/doc/cltl/README.Debian (No such file 
or directory)
debsums: can't open cltl file /usr/share/doc/cltl/copyright (No such file or 
directory)
debsums: can't open cltl file /usr/share/doc/cltl/changelog.gz (No such file or 
directory)
debsums: no md5sums for console-data
debsums: no md5sums for dc
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for debian-policy
debsums: no md5sums for dict
debsums: no md5sums for doc-debian
debsums: can't open ebook-dev-alp file 
/usr/share/doc/ebook-dev-alp/advanced-linux-programming.pdf.gz (No such file or 
directory)
debsums: no md5sums for ed
debsums: no md5sums for figlet
debsums: no md5sums for g++
debsums: no md5sums for g77
debsums: no md5sums for gawk
debsums: no md5sums for gawk-doc
debsums: no md5sums for gnupg
debsums: no md5sums for gnuplot
debsums: no md5sums for gpgv
debsums: no md5sums for hibernate
debsums: no md5sums for initscripts
debsums: no md5sums for installation-guide-i386
debsums: no md5sums for installation-report
debsums: no md5sums for klogd
debsums: no md5sums for libaudio2
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libbz2-dev
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: checksum mismatch libgcj-common file 
/usr/share/doc/libgcj-common/copyright
debsums: checksum mismatch libgcj-common file 
/usr/share/doc/libgcj-common/changelog.Debian.gz
debsums: no md5sums for libgdbm3
debsums: no md5sums for libgsm1
debsums: no md5sums for libhdf4g
debsums: no md5sums for libident
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncurses5-dev
debsums: no md5sums for libncursesw5
debsums: no md5sums for libnetcdf3
debsums: no md5sums for libvolume-id0
debsums: no md5sums for lynx
debsums: no md5sums for make-doc
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for mount
debsums: no md5sums for mpack
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for ncurses-term
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prauctex.cfg
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prauctex.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prcounters.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/preview.sty
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prfootnotes.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prlyx.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prshowbox.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prshowlabels.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prtightpage.def
debsums: checksum mismatch preview-latex-style file 
/usr/share/texmf/tex/latex/preview/prtracingall.def
debsums: no md5sums for r-recommended
debsums: no md5sums for rcs
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/mirrors.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/os.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/programs_good.dat
debsums: checksum mismatch rkhunter file /var/lib/rkhunter/db/defaulthashes.dat
debsums: no md5sums for rsync
debsums: no md5sums for ssh
debsums: no md5sums for strace
debsums: no md5sums for sun-java5-fonts
debsums: no md5sums for sun-java5-plugin
debsums: no md5sums for svgalibg1
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for udev
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux
debsums: no md5sums for whois

>>
>
> you could also try something like this:
> lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that 
> is the process id that rkhunter is reporting listening)

root:chapter3# lsof -n -p 3888
COMMAND  PID USER   FD   TYPE     DEVICE    SIZE   NODE NAME
login   3888 root  cwd    DIR       0,13    4040    955 /dev
login   3888 root  rtd    DIR        8,3    4096      2 /
login   3888 root  txt    REG        8,3   35204 193543 /bin/login
login   3888 root  mem    REG        8,3   38416 532977 
/lib/i686/cmov/libnss_files-2.6.so
login   3888 root  mem    REG        8,3   34352 532979 
/lib/i686/cmov/libnss_nis-2.6.so
login   3888 root  mem    REG        8,3   30436 532975 
/lib/i686/cmov/libnss_compat-2.6.so
login   3888 root  mem    REG        8,3  220764 596845 /lib/libsepol.so.1
login   3888 root  mem    REG        8,3   83512 597381 /lib/libselinux.so.1
login   3888 root  mem    REG        8,3   83712 532974 
/lib/i686/cmov/libnsl-2.6.so
login   3888 root  mem    REG        8,3    9708 598622 
/lib/security/pam_mail.so
login   3888 root  mem    REG        8,3    4244 598624 
/lib/security/pam_motd.so
login   3888 root  mem    REG        8,3    9696 532987 
/lib/i686/cmov/libutil-2.6.so
login   3888 root  mem    REG        8,3    8640 598618 
/lib/security/pam_lastlog.so
login   3888 root  mem    REG        8,3   17204 598619 
/lib/security/pam_limits.so
login   3888 root  mem    REG        8,3   51484 598645 
/lib/security/pam_unix.so
login   3888 root  mem    REG        8,3    9684 532935 
/lib/i686/cmov/libdl-2.6.so
login   3888 root  mem    REG        8,3 1331968 532932 
/lib/i686/cmov/libc-2.6.so
login   3888 root  mem    REG        8,3    8264 598609 /lib/libpam_misc.so.0.79
login   3888 root  mem    REG        8,3   29700 596838 /lib/libpam.so.0.79
login   3888 root  mem    REG        8,3   21908 532934 
/lib/i686/cmov/libcrypt-2.6.so
login   3888 root  mem    REG        8,3   11024 596837 /lib/libcap.so.1.10
login   3888 root  mem    REG        8,3   11232 598616 
/lib/security/pam_group.so
login   3888 root  mem    REG        8,3   10372 598613 /lib/security/pam_env.so
login   3888 root  mem    REG        8,3    5908 598625 
/lib/security/pam_nologin.so
login   3888 root  mem    REG        8,3    7144 598629 
/lib/security/pam_securetty.so
login   3888 root  mem    REG        8,3  117336 774195 /lib/ld-2.6.so
login   3888 root    0u   CHR        4,1           1059 /dev/tty1
login   3888 root    1u   CHR        4,1           1059 /dev/tty1
login   3888 root    2u   CHR        4,1           1059 /dev/tty1
login   3888 root    4r   REG        8,3    1237 517938 /etc/passwd
login   3888 root    5u  unix 0xf7ddac80           9347 socket
root:chapter3# 

root:chapter3# lsof -n -p `pidof login` | sed s/\ /\,/g
COMMAND,,PID,USER,,,FD,,,TYPE,,,,,DEVICE,,,,SIZE,,,NODE,NAME
login,,,3888,root,,cwd,,,,DIR,,,,,,,0,13,,,,4040,,,,955,/dev
login,,,3888,root,,rtd,,,,DIR,,,,,,,,8,3,,,,4096,,,,,,2,/
login,,,3888,root,,txt,,,,REG,,,,,,,,8,3,,,35204,193543,/bin/login
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,38416,532977,/lib/i686/cmov/libnss_files-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,34352,532979,/lib/i686/cmov/libnss_nis-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,30436,532975,/lib/i686/cmov/libnss_compat-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,220764,596845,/lib/libsepol.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83512,597381,/lib/libselinux.so.1
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,83712,532974,/lib/i686/cmov/libnsl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9708,598622,/lib/security/pam_mail.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,4244,598624,/lib/security/pam_motd.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9696,532987,/lib/i686/cmov/libutil-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8640,598618,/lib/security/pam_lastlog.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,17204,598619,/lib/security/pam_limits.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,51484,598645,/lib/security/pam_unix.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,9684,532935,/lib/i686/cmov/libdl-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,1331968,532932,/lib/i686/cmov/libc-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,8264,598609,/lib/libpam_misc.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,29700,596838,/lib/libpam.so.0.79
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,21908,532934,/lib/i686/cmov/libcrypt-2.6.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11024,596837,/lib/libcap.so.1.10
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,11232,598616,/lib/security/pam_group.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,10372,598613,/lib/security/pam_env.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,5908,598625,/lib/security/pam_nologin.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,,,7144,598629,/lib/security/pam_securetty.so
login,,,3888,root,,mem,,,,REG,,,,,,,,8,3,,117336,774195,/lib/ld-2.6.so
login,,,3888,root,,,,0u,,,CHR,,,,,,,,4,1,,,,,,,,,,,1059,/dev/tty1
login,,,3888,root,,,,1u,,,CHR,,,,,,,,4,1,,,,,,,,,,,1059,/dev/tty1
login,,,3888,root,,,,2u,,,CHR,,,,,,,,4,1,,,,,,,,,,,1059,/dev/tty1
login,,,3888,root,,,,4r,,,REG,,,,,,,,8,3,,,,1237,517938,/etc/passwd
login,,,3888,root,,,,5u,,unix,0xf7ddac80,,,,,,,,,,,9347,socket
root:chapter3# 

>

> do you have nmap installed on the local machine? you could run a nmap -sV 
> localhost against it and it should report back with something as well.

root:chapter3# nmap -sV localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-29 00:26 ADT
Interesting ports on localhost (127.0.0.1):
Not shown: 1691 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 4.6p1 Debian 4 (protocol 2.0)
25/tcp  open  smtp    Exim smtpd 4.67
80/tcp  open  http    Apache httpd 1.3.34 ((Debian))
111/tcp open  rpcbind  2 (rpc #100000)
113/tcp open  ident   OpenBSD identd
929/tcp open  unknown
Service Info: Host: blackbart.mynetwork; OSs: Linux, OpenBSD

Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 6.208 seconds
root:chapter3# 




>
>
> Jeff
>
> -+-
> 8 out of 10 Owners who Expressed a Preference said Their Cats Preferred 
> Techno.
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: /bin/login listening?

Reply via email to