You are not logged in.

#1 2005-03-24 08:14:09

Shofs
Member
From: Central Illinois
Registered: 2004-12-15
Posts: 184

chkdupexe found dup exe's

root@dogma ~ # chkdupexe
-rwxr-xr-x  1 root root  5980 2005-02-24 02:39 /usr/bin/rmiregistry
-rwxr-xr-x  1 root root 70696 2005-01-16 17:33 /opt/java/jre/bin/rmiregistry
-rwxr-xr-x  1 root root 14740 2005-02-22 04:02 /usr/bin/kinit
-rwxr-xr-x  1 root root 70728 2005-01-16 17:33 /opt/java/jre/bin/kinit
-rwxr-xr-x  1 root root  5281 2004-09-22 10:45 /usr/bin/mkpasswd
-rwxr-xr-x  1 root root  5068 2005-01-26 12:54 /usr/sbin/mkpasswd
-rwxr-xr-x  1 root root 37536 2005-01-26 12:54 /bin/login
-rwxr-xr-x  1 root root 20504 2005-02-22 04:02 /usr/bin/login
-rwxr-xr-x  1 root root 14468 2005-02-22 04:02 /usr/bin/klist
-rwxr-xr-x  1 root root 70728 2005-01-16 17:33 /opt/java/jre/bin/klist
-r-sr-xr-x  1 root root 22688 2004-12-16 00:55 /bin/su
-rwsr-xr-x  1 root root 10756 2005-02-22 04:02 /usr/bin/su
root@dogma ~ # whereis su
su: /bin/su /usr/bin/su /usr/man/man1/su.1.gz

Should I be concerned about this? I did whereis su as an example to see where the dups are.

Offline

#2 2005-03-24 08:23:18

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: chkdupexe found dup exe's

do an md5sum (or an sha sum) on each of the programs, and compare them. If the dup program has the same md5sum, then you should be fine. If not, then you can start to worry.

here is what I have:

5d1c5a442557983c61693f39f134597f  /usr/sbin/mkpasswd
5816a41682e84664f64fb9bcec68d35b  /bin/login
163e18d58756dcf6ba9d130bd28c05fb  /bin/su

EDIT: Just noticed your filesizes on most of those are different. I am curious. What distribution are you using?

EDIT2: Also, try running chkrootkit


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2005-03-24 10:38:14

Shofs
Member
From: Central Illinois
Registered: 2004-12-15
Posts: 184

Re: chkdupexe found dup exe's

I am using Arch 0.7, I update it regularly.

Comparison to yours (MD5?).

ryan@dogma Desktop $ md5sum /usr/bin/mkpasswd /bin/login /bin/su
cc5da1295ded69454a10be13cf6b0812  /usr/bin/mkpasswd
3d2241c6edf6f28f0ccc1f5b0a21d75d  /bin/login
303cf48bcf80600938b085659aee48e9  /bin/su

Comparison of my duplicates (MD5).

a6b2d7fda608c8e707a017ee0542fef9  /usr/bin/rmiregistry
a7755f1e383e6158ae648b3bb7c5ef6d  /opt/java/jre/bin/rmiregistry
5f03f8f312fa88499bd3955391a02747  /usr/bin/kinit
0a62526fac7eef519823363dd3a01189  /opt/java/jre/bin/kinit
cc5da1295ded69454a10be13cf6b0812  /usr/bin/mkpasswd
80b2b0debcb379b0445e9119474c36a6  /usr/sbin/mkpasswd
3d2241c6edf6f28f0ccc1f5b0a21d75d  /bin/login
fb25c23003382333b5fdf2875b91a50e  /usr/bin/login
bdff1c780113654e0588af9ef93ff367  /usr/bin/klist
8afeef49e2043bc170b3e1a296298d4a  /opt/java/jre/bin/klist
303cf48bcf80600938b085659aee48e9  /bin/su
13d4e310170aab72d06f91dd7d49951c  /usr/bin/su

Comparison of mine (SHA1).

root@dogma /opt/chkrootkit # sha1sum /usr/bin/rmiregistry /opt/java/jre/bin/rmiregistry /usr/bin/kinit /opt/java/jre/bin/kinit /usr/bin/mkpasswd /usr/sbin/mkpasswd /bin/login /usr/bin/login /usr/bin/klist /opt/java/jre/bin/klist /bin/su /usr/bin/su
3ff23b4605017e7e44af01f41bd228d23f731cf3  /usr/bin/rmiregistry
294bfc62e23e05124e72210856fcdf86beb84f88  /opt/java/jre/bin/rmiregistry
8e4d00135e6fc4c3b55fe9aab242fcbaed88efd3  /usr/bin/kinit
cf0222705d55221fcd7e00f2a74f3a00e978bf3e  /opt/java/jre/bin/kinit
c3d6ac5b931fc7482c33277b28b01f5097b89177  /usr/bin/mkpasswd
ac1c5024880d33297b6bd9c4aacf7aca2f8e6279  /usr/sbin/mkpasswd
790ce24a809446037d863805a2e8f3cd6c8e61f9  /bin/login
a3b56fc8d75b5d48a95d73a93cce33fe3d2a982f  /usr/bin/login
28cdd563e1ffb15ede01e2e85eb0473bc9505ad1  /usr/bin/klist
243168d699a35dd2540f5606438abc346c384a3a  /opt/java/jre/bin/klist
2669b395741789ba9095079dad3c24d599c09f01  /bin/su
6da9d431dd58372f5bcb99c55d37dc255b4e2199  /usr/bin/su

Chkrootkit

root@dogma /opt/chkrootkit # ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/current/i686-linux-thread-multi/auto/Gaim/.packlist /usr/lib/perl5/current/i686-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Gtk/Gdk/Pixbuf/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Gtk/Gdk/ImlibImage/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Gtk/base/.packlist /usr/lib/perl5/site_perl/current/i686-linux-thread-multi/auto/Image/Magick/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted

Offline

#4 2005-03-24 16:53:09

IceRAM
Member
From: Bucharest, Romania
Registered: 2004-03-04
Posts: 772
Website

Re: chkdupexe found dup exe's

# pacman -Qo /bin/login
/bin/login is owned by shadow 4.0.7-1

# pacman -Qo /usr/bin/login
/usr/bin/login is owned by heimdal 0.6.3-3
# pacman -Qo /usr/sbin/mkpasswd
/usr/sbin/mkpasswd is owned by shadow 4.0.7-1

# pacman -Qo /usr/bin/mkpasswd
error: /usr/bin/mkpasswd is not a file.
# pacman -Qo /usr/bin/su
/usr/bin/su is owned by heimdal 0.6.3-3

# pacman -Qo /bin/su
/bin/su is owned by coreutils 5.2.1-5
# pacman -Qi heimdal
Name           : heimdal
Version        : 0.6.3-3
Groups         : None
Packager       : Arch Linux (http://www.archlinux.org)
URL            : http://www.pdc.kth.se/heimdal/
License        :
Architecture   : i686
Size           : 3392836
Build Date     : Tue Feb 22 10:02:04 2005 UTC
Install Date   : Wed Mar 16 20:30:38 2005 UTC
Install Script : No
Reason:        : installed as a dependency for another package
Provides       : netkit-rsh
Depends On     : db e2fsprogs openssl
Required By    : None
Conflicts With : netkit-rsh
Description    : Heimdal Kerberos V5 libraries

Thank you pacman smile

Out of curiosity, why does "heimdal" come with the same binaries?

I believe that the first binary run is the first found in the PATH, considering that those dirs are in PATH, am I right?

Well, it says that heimdal was installed as a dependency, but it doesn't show any package required by it, which is a bit weird. I think KDE once required it, but I'm not sure.

Offline

#5 2005-03-24 19:57:18

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: chkdupexe found dup exe's

unless the full path is used for calling it, then indeed, the first appearance in the path is the one used. This is often how bad people get things done.
On some older setups, the current directory (or even $HOME/bin) appeared first in the PATH. If someone got access to your box, they could drop a modified 'ls' or 'cd' into one of those locations, so when you listed a directory conents, it would do something naughty, then call the real ls for you. You would effectively be none the wiser.

I haven't seen many systems setup with current-dir in the path..which is good. And $HOME/bin is usually at the end of the path...which is good.

And good use of pacman by the way.
big_smile


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#6 2005-03-24 20:40:03

Shofs
Member
From: Central Illinois
Registered: 2004-12-15
Posts: 184

Re: chkdupexe found dup exe's

I guess I could see having to versions of the same program like su or whatever because to packages install it, but I don't see why the core su provided by arch would have a different md5 or sha* or something then other users. I assume cactus, you update regularly?

Offline

#7 2005-03-24 20:43:07

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: chkdupexe found dup exe's


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB