OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave (dlamothegeneration.net)
Date: Sun Jan 21 2001 - 04:03:35 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    The setup:
    I'm on a stand-alone machine with ppp dial-up, I have pmfirewall up &
    running fine, a fresh LM 7.2 install with security updates only, (install
    was custom development with medium security level). My username is
    sundance.

    The problem:
    Root gets daily message as follows (sorry, it's kind of long):

    -----------------
    Security Warning: World Writeable files found :
                    - /home/sundance/.wprc/.wp8styles
                    - /tmp
                    - /tmp/.ICE-unix
                    - /tmp/.X11-unix
                    - /tmp/.X11-unix/X0
                    - /tmp/.font-unix
                    - /tmp/.font-unix/fs-1
                    - /tmp/wpc-wildwest
                    - /tmp/wpc-wildwest/.wpexc8.man
                    - /tmp/wpc-wildwest/excmsg8
                    - /tmp/wpc-wildwest/unix.def
                    - /tmp/wpc-wildwest/wpprint.err
                    - /tmp/wpc-wildwest/wpq8_0
                    - /tmp/wpc-wildwest/wpq8_65535
                    - /usr/games/Maelstrom/Maelstrom-Scores
                    - /usr/local/src/libmcrypt-2.3.3
                    - /usr/local/src/libmcrypt-2.3.3/doc
                    - /usr/local/src/libmcrypt-2.3.3/lib
                    - /usr/local/src/libmcrypt-2.3.3/libltdl
                    - /usr/local/src/libmcrypt-2.3.3/modules
                    - /usr/local/src/libmcrypt-2.3.3/modules/algorithms
                    - /usr/local/src/libmcrypt-2.3.3/modules/modes
                    - /usr/local/src/libmcrypt-2.3.3/src
                    - /usr/local/wp8/shlib10
                    - /usr/local/wp8/shlib10/.wpc.admin
                    - /usr/local/wp8/wplib
                    - /usr/local/wp8/wplib/.wp8x.set
                    - /usr/local/wp8/wplib/wp8gui.pdf
                    - /usr/share/apps/kscd/cddb/blues
                    - /usr/share/apps/kscd/cddb/classical
                    - /usr/share/apps/kscd/cddb/country
                    - /usr/share/apps/kscd/cddb/data
                    - /usr/share/apps/kscd/cddb/folk
                    - /usr/share/apps/kscd/cddb/jazz
                    - /usr/share/apps/kscd/cddb/misc
                    - /usr/share/apps/kscd/cddb/newage
                    - /usr/share/apps/kscd/cddb/reggae
                    - /usr/share/apps/kscd/cddb/rock
                    - /usr/share/apps/kscd/cddb/soundtrack
                    - /var/lib/games/xboing.score
                    - /var/lib/games/xjewel.scores
                    - /var/lib/games/xtrojka.score
                    - /var/lib/mysql/mysql.sock
                    - /var/lib/svgalib
                    - /var/lib/texmf
                    - /var/lib/texmf/ls-R
                    - /var/lock/xemacs
                    - /var/spool/fax/outgoing
                    - /var/spool/fax/outgoing/locks
                    - /var/spool/postfix/maildrop
                    - /var/spool/postfix/private/bounce
                    - /var/spool/postfix/private/bsmtp
                    - /var/spool/postfix/private/cleanup
                    - /var/spool/postfix/private/cyrus
                    - /var/spool/postfix/private/defer
                    - /var/spool/postfix/private/error
                    - /var/spool/postfix/private/ifmail
                    - /var/spool/postfix/private/local
                    - /var/spool/postfix/private/rewrite
                    - /var/spool/postfix/private/smtp
                    - /var/spool/postfix/private/uucp
                    - /var/spool/postfix/public/pickup
                    - /var/spool/postfix/public/qmgr
                    - /var/spool/postfix/public/showq
                    - /var/spool/samba
                    - /var/spool/slrnpull/out.going
                    - /var/tmp

    Security Warning: these home directory should not be owned by someone
    else or
    writeable :
    user=zope(104) : home directory is group writeable.

    These are the ports listening on your machine :
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
         
    PID/Program name
    tcp 0 0 *:631 *:*
    LISTEN
    395/cupsd
    tcp 0 0 *:6000 *:*
    LISTEN
    600/X
    tcp 0 0 *:1024 *:*
    LISTEN
    590/kdm
    tcp 0 0 *:10000 *:*
    LISTEN
    566/perl
    tcp 0 0 *:mysql *:*
    LISTEN
    550/mysqld
    tcp 0 0 *:smtp *:*
    LISTEN
    463/master
    tcp 0 0 *:auth *:*
    LISTEN
    361/identd
    tcp 0 0 *:sunrpc *:*
    LISTEN
    315/portmap
    udp 0 0 *:631 *:*
         
    395/cupsd
    udp 0 0 *:xdmcp *:*
         
    590/kdm
    udp 0 0 *:10000 *:*
         
    566/perl
    udp 0 0 *:sunrpc *:*
         
    315/portmap
    raw 0 0 *:icmp *:* 7
         
    -
    raw 0 0 *:tcp *:* 7
         
    -
    ----------------------
    Jeez, sorry about the length. For what it's worth, the wp8 entries
    were created by Wordperfect. Anyway, I'd like to know if all these logs
    are real security issues, and just what I might do to fix things if
    neccesary.

    BTW, I have xinetd completely turned off/disabled, my hosts.deny is
    ALL:ALL and my hosts.allow is ALL:127.0.0

    Thanks very much.
    Dave.