[ubuntu-in] Firewall Rules and problems being reported by rkhunter & chkrootkit

"Mallikarjun(ಮಲ್ಲಿಕಾರ್ಜುನ್)" mallik.v.arjun at gmail.com
Thu Feb 10 15:45:50 UTC 2011 

I am not a security expert but would like to give my suggestions.

On 02/10/2011 06:07 AM, Ramnarayan.K wrote:
> Hi
>
> Some days back i posted a problem / warnings reported by chkrootkit
>
> A port 4000 came up with this error message
> Checking `bindshell'... INFECTED
> (PORTS: 4000)
>
You can check your system if some service is listening to the port 4000, 
or check all listening ports

/netstat -tua//
t for tcp
u or udp
/
> I also ran rkhunter
>
> these were the "warnings" i got
>
> [11:03:54] /usr/sbin/unhide [ Warning ]
> [11:03:54] Warning: The file '/usr/sbin/unhide' exists on the system,
> but it is not present in the rkhunter.dat file.
>
> [11:03:55] /usr/sbin/unhide-linux26 [ Warning ]
> [11:03:55] Warning: The file '/usr/sbin/unhide-linux26' exists on the
> system, but it is not present in the rkhunter.dat file.
I don't think these 2 are prblems to be worried of.
if you have doubt, find the md5sum, install a new virtual os, install 
and find md5sum. I guess there are other ways to find file integrity 
like tripwire.
> and the following
> [11:06:53] Checking /dev for suspicious file types [ Warning ]
> [11:06:53] Warning: Suspicious file types found in /dev:
> [11:06:53] /dev/shm/pulse-shm-2140383202: data
> [11:06:53] /dev/shm/pulse-shm-3707541799: data
> [11:06:53] /dev/shm/pulse-shm-797584089: data
> [11:06:54] /dev/shm/pulse-shm-1322839818: data
> [11:06:54] /dev/shm/pulse-shm-1033208539: data
> [11:06:54] /dev/shm/pulse-shm-2106326488: data
> [11:06:54] /dev/shm/pulse-shm-743709925: data
> [11:06:54] /dev/shm/pulse-shm-351083088: data
> [11:06:54] /dev/shm/pulse-shm-1331942024: data
> [11:06:54] /dev/shm/pulse-shm-1912260521: data
> [11:06:54] /dev/shm/mono.2443: data
> [11:06:54] /dev/shm/mono.2467: data
> [11:06:54] /dev/shm/pulse-shm-2905615276: data
> [11:06:54] /dev/shm/pulse-shm-1210813197: data
> [11:06:54] /dev/shm/pulse-shm-289830629: data
> [11:06:54] /dev/shm/pulse-shm-4191095999: data
> [11:06:54] Checking for hidden files and directories [ Warning ]
> [11:06:54] Warning: Hidden directory found: /etc/.java
> [11:06:54] Warning: Hidden directory found: /dev/.udev
> [11:06:54] Warning: Hidden directory found: /dev/.initramfs
> [11:07:05]
Even i got these warning, should not be problem I guess, .java doesn't 
have any content in it. No comments
> [11:07:05] Checking application versions...
> [11:07:05] Checking version of GnuPG [ Warning ]
> [11:07:05] Warning: Application 'gpg', version '1.4.9', is out of
> date, and possibly a security risk.
>
> [11:07:06] Checking version of OpenSSL [ Warning ]
> [11:07:06] Warning: Application 'openssl', version '0.9.8g', is out of
> date, and possibly a security risk.
>
> I don't use opengpg and openssl so i guess thats ok
*You should worry about these, definitely.*
If opengpg-server is installed, service will be listening to outside 
connections.

since openssl is a library, some applications might use it, probably 
like firefox(i found it doesn't), openjdk, thunderbird.
Who knows your favorite application might ise openssl.
> but whats the trip with the hiddenn files i .java /.udev an .initramfs ??
my call, just forget about those.
Most importantly monitor your network connections, there is no otherway 
one can access your system. Also make sure network monitor tool is not 
compromised :P
> **
> one suggestion i got was to deny inbound traffic
>
> how does one do that
>
> in firestarter it only provides options to allow inbound traffic not deny ??
>
> and from Ubuntu forums (thread
> http://ubuntuforums.org/showthread.php?t=1674668)  i was suggested
> this (
>
> Quote" did you update your firewall rules? (in any case block
> everything inbound "sudo ufw deny in from any" , "sudo ufw default
> deny")"
>
> how does one do this because i get any error when applying  "sudo ufw
> deny in from any" ,
>
>
> while this works but asks me to update m firewall rules
>   "sudo ufw default deny"
your system must have been using old firewall rules, since you are still 
in 9.10
update them at the least.
> **
>
> Am running 9.10 am wondering if older versions are more vulnerble to
> being attacked ??
*Definitely you have to update to newer operating system.*
> look forward to responses and advice
>
> ram
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-in/attachments/20110210/a8e8d85c/attachment.html>

More information about the ubuntu-in mailing list