Hacking e-smith 5.6

Charlie Hartill

Hacking e-smith 5.6

« on: April 18, 2003, 04:48:10 PM »

In trying to learn more about Linux, I'm looking at two mitel boxes to check for root kits etc. just following the advice I find on the net.

When I use rpm to verify binaries I get the output below.

My question is is there anything special to the e-smith/mitel customization which would cause a newbie to get a false positive for hacking. And what tests would gurus recommend (specific to e-smith rather than just turn off ftp etc.)

Charlie

[root@AMHURST root]# rpm -Va > /root/rpm_chk.txt &
[1] 12851
[root@AMHURST root]ls /root/rpm*
/root/rpm_chk.txt
[root@AMHURST root]# cat /root/rpm_chk.txt
.......T /var/qmail/queue/lock/tcpto
....L.G. c /etc/localtime
.M...... /etc/rc.d/init.d
S.5....T c /etc/rc.d/init.d/dhcpd
S.5...GT c /var/lib/dhcp/dhcpd.leases
S.5....T /var/qmail/etc/service/qmail/log/supervise/status
S.5....T /var/qmail/etc/service/qmail/supervise/status
S.5....T c /etc/flexbackup.conf
S.5....T c /etc/ntp.conf
S.5....T c /etc/logrotate.d/syslog
S.5....T c /etc/sysconfig/syslog
S.5....T c /etc/syslog.conf
S.5....T c /etc/pam.d/passwd
.M...... /etc/ppp
S.5...GT c /etc/ppp/chap-secrets
S.5....T c /etc/httpd/conf/access.conf
S.5....T c /etc/httpd/conf/httpd.conf
S.5....T c /etc/httpd/conf/srm.conf
S.5....T c /etc/logrotate.d/apache
S.5....T c /etc/openldap/slapd.conf
S.5....T c /etc/squid/squid.conf
S.5....T c /etc/my.cnf
SM5...GT c /home/httpd/html/horde/config/horde.php
SM5...GT c /home/httpd/html/horde/config/mime_drivers.php
SM5...GT c /home/httpd/html/horde/config/registry.php
.M...... /home/httpd/html/horde/scripts
.M...... /home/httpd/html/horde/scripts/db
S.5....T c /home/httpd/html/horde/imp/config/conf.php
S.5....T c /home/httpd/html/horde/imp/config/header.txt
S.5....T c /home/httpd/html/horde/imp/config/prefs.php
S.5....T c /home/httpd/html/horde/imp/config/servers.php
S.5....T c /home/httpd/html/horde/imp/config/trailer.txt
SM5...GT c /home/httpd/html/horde/turba/config/conf.php
SM5...GT c /home/httpd/html/horde/turba/config/sources.php
S.5....T c /etc/pam.d/login
S.5....T c /etc/sysconfig/pcmcia
S.5....T c /etc/atalk/AppleVolumes.default
S.5....T c /etc/atalk/afpd.conf
S.5....T c /etc/atalk/atalkd.conf
S.5....T c /etc/atalk/config
S.5....T c /etc/atalk/papd.conf
SM5....T c /etc/ssh/sshd_config
SM5....T c /etc/ftpusers
S.5....T c /etc/pam.d/ftp
SM5....T c /etc/proftpd.conf
S.5....T c /etc/xinetd.conf
Unsatisfied dependencies for megaide-1.03d-02: kernel = 2.2.19-7.0.8

Logged

Ray Mitchell

Re: Hacking e-smith 5.6

« Reply #1 on: April 18, 2003, 06:41:41 PM »

This may be useful
see
http://www.e-smith.org/faq.php3
look at security, bugs section
regards
Ray Mitchell

Logged

Charlie Brady

Re: Hacking e-smith 5.6

« Reply #2 on: April 19, 2003, 10:29:13 PM »

Charlie Hartill wrote:

> When I use rpm to verify binaries I get the output below.
>
> My question is is there anything special to the e-smith/mitel
> customization which would cause a newbie to get a false
> positive for hacking.

False positives in such tests are common. Writers of security scanners tend to err on the side of caution, and sometimes use simplistic tests to "determine" vulnerability (e.g. version number).

> And what tests would gurus recommend

You've made a good start by using "rpm -Va". You've made a bad start by publishing this information in a public forum. Fortunately, there's nothing to concern you here.

For starters you can probably ignore anything with a "c" column. They are config files, and you expect the size, timestamp and MD5 sum to be different to the file packaged in the rpm.

> [root@AMHURST root]# cat /root/rpm_chk.txt
> .......T /var/qmail/queue/lock/tcpto

That's a working file, and you can expect the timestamp to change.

> ....L.G. c /etc/localtime

glibc puts a file there, we use a symlink to the correct timezone file instead.

> .M...... /etc/rc.d/init.d

That's because the initscripts and chkconfig RPMs disagree about correct mode of that directory. The difference (setgid) shouldn't matter. I've raised a bug report.

> S.5...GT c /var/lib/dhcp/dhcpd.leases

What group owns that file? Probably harmless.

> S.5....T /var/qmail/etc/service/qmail/log/supervise/status
> S.5....T /var/qmail/etc/service/qmail/supervise/status

They're working files, and you expect them to change.

> .M...... /etc/ppp

Same problem with the initscripts RPM.

> S.5...GT c /etc/ppp/chap-secrets

File is owned "daemon", but expected to be "root". No group read/write permission so it doesn't matter.

> SM5...GT c /home/httpd/html/horde/config/horde.php
> SM5...GT c /home/httpd/html/horde/config/mime_drivers.php
> SM5...GT c /home/httpd/html/horde/config/registry.php

Expected by rpm to be 0640, root.www and are 0644, root.root. No security risk since they are expanded from template, so anyone can find our their contents anyway.

> .M...... /home/httpd/html/horde/scripts
> .M...... /home/httpd/html/horde/scripts/db

The rpm expects these to be setgid, but they aren't. Probably an RPM building error, and not a security problem (since the directories are 0755, root.root, i.e. can only be modified by root).

> SM5...GT c /home/httpd/html/horde/turba/config/conf.php
> SM5...GT c /home/httpd/html/horde/turba/config/sources.php

As for horde.php above.

> SM5....T c /etc/ssh/sshd_config

Permissions allow group/world read, which is not advisable. That's our fault, and I've raised a bug. Not critical, since these are standard templates, so it's not a state secret what's in there.

> SM5....T c /etc/ftpusers

We have the opposite problem here. The RPM is generous with read permissions, and we reduce those when we expand the template.

> SM5....T c /etc/proftpd.conf

The expanded template is world readable. It contains no big secrets. I've raised a bug.

> Unsatisfied dependencies for megaide-1.03d-02: kernel =
> 2.2.19-7.0.8

Unused leftover from a 5.5 upgrade. You can fix by doing "rpm -e megaide".

In future, please mail any security concerns to smesecurity@mitel.com, rather than post in a public forum.

Charlie

Logged

Charlie Hartill

Re: Hacking e-smith 5.6

« Reply #3 on: April 19, 2003, 11:14:23 PM »

Thank you for that detailed response other Charlie.

However, I'm slightly confused about why this info is inappropriate for a public forum. I can see that posting details of how to install a root kit or a known bug would be irresponsible, but I have no reason to suppose my box has been hacked, I'm just trying to learn.

Since I don't pay for this excellent product I wouldn't expect eduction for nothing through official channels.

Logged

Charlie Brady

Re: Hacking e-smith 5.6

« Reply #4 on: April 20, 2003, 02:11:29 AM »

Charlie Hartill wrote:

> However, I'm slightly confused about why this info is
> inappropriate for a public forum. I can see that posting
> details of how to install a root kit or a known bug would be
> irresponsible, but I have no reason to suppose my box has
> been hacked, I'm just trying to learn.

You might have been publicising the nature of a vulnerability. That would be doing a disservice to your fellow users.

Charlie

Logged

Charlie Hartill

Re: Hacking e-smith 5.6

« Reply #5 on: April 20, 2003, 02:17:24 AM »

For once in my life I'm not trying to pick a fight.

As an unsupported user should I always mail to the official address if I have a question like this and will I get an answer?

I have several other questions about messages in /var/log/messages when I enable port logging, what I should do about Code Red/Nimdba etc. I don't think I have any new info to report on these matters, but I will be guided by you.

Charlie

Logged