Interpreting output of tiger scripts (WAS:Re: Is my system compromised)
According to Todd Weaver,
You can try tiger...
sudo apt-get update
sudo apt-get install tiger
sudo tiger
I have no reason to believe that my box is compromised, but I thought
that I would try out tiger to close off what I could. Now I need
someone to point me to someplace that can help me interpret the log file.
I got an awful lot of lines about unowned files and files with invalid
groups. Those were easy to deal with. They were all files that on
installation kept the user and group of the maintainer. I have chowned
them all to root:root. That cut the size of the logfile down from 111K
to 16K.
Now, I have several lines like these:
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (epos) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (fetchmail) is disabled, but has a valid shell.
and these:
# Checking accounts from /etc/passwd.
--WARN-- [acc021w] Login ID epos appears to be a dormant account.
--WARN-- [acc021w] Login ID fetchmail appears to be a dormant account.
--WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group
`mail'
and world write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.
I also wonder about these:
# Performing check of `cron' entries...
--WARN-- CRON file `/var/spool/cron/crontabs/mns' is owned by mns.
--WARN-- [cron004w] Root crontab does not exist
--WARN-- [cron005w] Use of cron is not restricted
# Performing check of 'inetd'...
# Checking inetd entries from /etc/inetd.conf
--WARN-- [inet099w] 'printer' is not protected by tcp wrappers.
--WARN-- [inet009] inetd entry for printer service uses
`/usr/lib/cups/daemon/cups-lpd' which contains `/usr' which is
group
`root' writable.
--WARN-- [inet009] inetd entry for printer service uses
`/usr/lib/cups/daemon/cups-lpd' which contains `/usr/lib'
which is
group `root' writable.
--WARN-- [inet099w] 'smtp' is not protected by tcp wrappers.
--WARN-- [inet009] inetd entry for smtp service uses `/usr/sbin/exim' which
contains `/usr' which is group `root' writable.
--WARN-- [inet009] inetd entry for vboxd service uses `/usr/sbin/tcpd'
which
contains `/usr' which is group `root' writable.
# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to
service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to
service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.
Most of the remaining warnings, however, are many, many lines like these:
# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/login
(-rwsr-xr-x)
matched the /bin/login on this machine.
>>>>>> Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
>>>>>> Linux 2.4.17
Since I am running kernel 2.6.8 (the most recent available in Sarge) I
am curious as to why it is trying to match the files to 2.4.17.
If anyone can point me in the right direction, I would appreciate it.
--
Marc Shapiro
Reply to: