Mageia forum

[joeclem111]

Hi, I was told by MSEC that system security changes had been made (Thursday I think) so I checked the logs. The file chkrootkit had been deleted. I re-installed and ran it. All looks good except there is a warning that /sbin/init was infected. It also said that there was no tty allocated to root process (class 1 process) for /var/run/utmp !. I ran clamav and it found no infections. Any advice please, is this system safe? It also warned that all my spreadsheets were world writable. I have changed them to 744 permissioins. Is this good enough or do you know what they should be. Thanks.

[doktor5000]

Please show the relevant part of the msec logs here. Also, why has chkrootkit been deleted, and which file of that package exactly?

For init, you probably got the following warning:

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

This is a false positive, check https://bugs.mageia.org/show_bug.cgi?id=6699 or viewtopic.php?f=7&t=2867

for the tty/utmp check, you probably got something like this:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 1045 tty1 /etc/X11/X :0 vt1 -auth /var/run/xauth/A:0-mPkp1a

Which is no problem at all, i don't care if there's no real tty for my X server if it's running fine.

For your spreadsheets, where do they reside?

[doktor5000]

Here is /var/log/security/mail.weekly.today:

*** Security Check, Jul 14 12:03:03 ***
*** Check type: weekly ***
*** Check executed from: /etc/cron.weekly/msec ***
Report summary:
Test started: Jul 14 12:03:03
Test finished: Jul 14 12:03:34
Total of Suid Root files: 33
Total of Sgid files: 17
Total of World Writable files: 10
Total of Un-owned files: 0
Total of Un-owned group files: 0
Total of SUID files with controlled MD5 checksum: 33
Total of installed packages: 1843
Chkrootkit check: skipped (chkrootkit not found)

Detailed report:

Security Warning: World Writable files found :
- /home/joe/Documents/bank.ods
- /home/joe/Documents/GandE.ods
- /home/joe/Documents/joestd.odt
- /home/joe/Documents/JSC-contr.odt
- /home/joe/Documents/loan.ods
- /home/joe/Documents/lottery.ods
- /home/joe/Documents/rent.ods
- /home/joe/Documents/virgincc.ods
- /var/lib/lock/sane
- /var/lib/xkb

Chkrootkit check skipped: chkrootkit not found

I did not delete chkrootkit, I used urpmi to reinstate it and checked it and it works well now. Your false positive init message is exactly what I got. Your chkutmp is the same message as mine. My spreadsheets are in /home/username/Documents. Thanks for your prompt reply, unless you find something it looks as if I am OK. Please confirm if that is true.

[doktor5000]

You mentioned in your first post:

The file chkrootkit had been deleted

Which is not that case, probably it has never been installed. No issue at all.

For the spreadsheets, don't know why they are world-writable, normally they should only be world-readable by default.
Maybe you changed the permissions yourself, or changed the permissions of the containing folder, or the umask?

And sorry, but I cannot confirm if YOU are OK. Please mark the thread accordingly by editing the topic of the first post and prefix it by [SOLVED], thanks
Apart from that, please next time also use a more meaningful and precise thread title.