Hacked or Paranoid

Meh.

Look in /etc/cron.daily it's most likely "find" script that does that. It's normal maintenance. Install kcron and start it as root, look in "System Crontab" you can change the hours when the scripts run if you prefer.

--
Check out Mepis wiki: www.mepis.org/docs

Hi, Jim,

I dunno if you ever feel, as I do, that the developers of the most prominent linux distros seem to pay little if any attention to security issues, or else seem to make no attempt to explain apparent design decisions which might affect security or to help worried users understand possible security issues with their systems. I confess that, here, I often feel like a lost soul wandering in the wilderness, so I'd be interested in joining any Forum of the Fearfull.

feheeszeno

Nothing could be farther from the truth.

It looks like you need a basic course in Linux files and permissions, and the Linux security model, but this isn't the time or place for it.

Unless you are particularly careless or stupid your odds of getting infected from an email or Trojan file are extremely remote. It would require you to participate in your own hijacking. That's why there was a joke email circulating a few years ago that pretended to be a Linux virus. The contents of the email said: "Please pass this email on to all of your Linux using friends, then follow the instructions below:
1) open a root console
2) cd \
3) rm -rf /
Thank you"

Believe it or not, there were reports of some folks getting burned by that joke.

If you think you've caught a cracker in the act of breaking into your Linux box you can:

1) Do a version of the "who" command to see how many users are listed:
w
You can play with "w' and "who" in a console to see why "w' is the better tool in this case.

2) If "w" lists more than you as being logged in then you *may* have an intruder. On your laptop press your wireless on/off switch and turn off your wireless connection, or if you have an ethernet cable connecting your box to your ISP modem then disconnect it. If you then discover you were wrong you can turn your wireless back on or plug your ethernet cable back in and use the Mepis Network assistant to reconnect (no need to reboot).

You can also issue:
netstat -l -p
to see if your box has an outside connection you are not familiar with. If you are browsing you may see several such connections to ad servers, websites and the like, because of YOUR browsing activity. IF you are using XP or VISTA then one of Microsoft's 3rd party vendors may be logged onto your box and browsing around to see if you are misusing their "IP"... but you have no choice in that matter because the EULA you agreed to permits such invasions, including WARRANTLESS entry into your home or business by the BSA.

BUT, if the cracker had sufficient time to install a rootkit then who, netstat, ls, dir and other such utilities will be replaced by versions of those utilities which will lie to you and conceal the crackers presence. That's why the best solution is to install chkrootkit WHEN YOU INSTALL your distro and run it regularly in cron, emailing the results to you. Rootkits even include fake chkrootkit binaries. If chkrootkit isn't installed on your distro then use Synaptic to install it and immediately run it as root (you won't be able to use sudo).

You can boot MEPIS-32 as a LiveCD and run chkrootkit from it on your installed system, Simply mount your hda root partition and point chkrootkit at it.

In nine years of using Linux, most of them connected to the Internet 24/7 with a broadband connection, I have never been infected by a virus or broken into by a cracker. Unless you run as root all the time I doubt you will either.

--
GreyGeek

GreyGeek said it all...

Whoops! Broke it again....I'm enjoying this too much.

$ locate find | grep cron
/etc/cron.daily/find

Its a sheduled process (like prelink) - no cause for alarm!

Dear GreyGeek (and lucky9),

I am very sorry that you have chosen to mock me--- if I might so describe my perception of your response--- particularly since I sense that you may have the knowledge to answer some of my most burning security-related questions about MEPIS (and perhaps other major distros).

"It looks like you need a basic course in Linux files and permissions, and the Linux security model, but this isn't the time or place for it."

I could indeed use a basic course in quite a few things, and in fact I've asked repeatedly for specific "minicourses" in this forum, unfortunately without sufficiently detailed/knowledgeable responses to help me solve my problems. However, courses in file permissions or the linux security model are not, I think, among them.

You made a number of assumptions about my background and the nature of my concerns, none of which are even close to the mark.

"Unless you are particularly careless or stupid your odds of getting infected from an email or Trojan file are extremely remote."

I never mentioned trojans or viruses or email. In fact, being infected by a virus via email is one of the least of my concerns. I have expressed a concern about a possible trojan, as explained below, and I feel that my questions here about that episode exhibited the appropriate level of alarm, but not unreasoning panic.

"In nine years of using Linux, most of them connected to the Internet 24/7 with a broadband connection, I have never been infected by a virus or broken into by a cracker."

Well, I am happy for you, and I hope that in seven years I can say the same thing. I can well believe that you understand your own security needs and that you have armored your own system against the threats you yourself face. However, not everyone fits into the same pigeonhole; in particular, while it is difficult or impossible to know for sure exactly what threats any given system faces at a given time, common sense should suggest, I think, that not every individual shares the same "threat environment".

I seem to have touched a nerve. Since it seems you might be able to help me, if you choose to do so, I'd like to start over, beginning with a bit of clarification of my background and some of my security concerns.

First of all, my belief until recently has been closer to this: "it seems that developers of the most prominent linux distros seem to pay little if any attention to helping users understand the security issues associated with the way their distro does things, or what tradeoffs would be involved in specific steps advised by various books to harden their system". One area in which I have unaddressed security concerns (and I have started several threads on this topic in this forum, without receiving any useful answers) is this: I have studied a half dozen linux security books, and have used various scripts such as Tiger to suggest various measures, and have noticed a huge gap between the way Mepis (say Mepis 3.4-3 to be specific) does things and "good practices" advocated in these books.

Before continuing, let me step back for a moment and clarify something about my background and experience. Although I am not a programmer, I have been using *nix for almost twenty years, but until a few years ago I could and did leave system administration to the pros since I was using accounts on large systems. Only when I bought my own home computers was I forced to become a sysadmin, and I have faced a steep learning curve in the past few years.

And before you ask, I am aware that few if any linux security books adequately distinguish between "default" concerns in setting up a home desktop vs. setting up a web server, mail server, or whatever. But I must stress again that not every home user fits into default pigeonholes.

I would also like to add that I have been acutely aware from the outset that the greatest threat to the security of my system is--- myself! Because, as I know very well, the books I am reading rarely if ever adequately explain the context, someone without the right background/experience can easily misunderstand something. IOW, a little knowledge is clearly a dangerous thing. At the same time, because I don't fit into the default pigeonhole, I do need to be more concerned than the average home user, so perforce I must try to muddle through, in part by asking for help in forums like this one.

Thanks for mentioning who, netstat, chkrootkit, but for the record, I have been using all of those tools from the outset. Just for the record, I am certainly not using XP or Vista, in fact my system is pretty darn Microsoft-free.

Please don't misunderstand me when I express frustration at not having yet obtained at mepis.org answers to some of my burning questions. Let me give one example in the past year where I did get some very helpful feedback. Some months ago, chkrootkit started irregularly giving warnings about a "possible LKM trojan" infection. Naturally, I posted a plea for assistance here, in which I stated that I suspected that since my system is probably fairly different from that of the author of chkrootkit, the result might be a false positive. Indeed, someone here provided a link which helped me determine that chkrootkit compares the output of ps with the contents of /proc, but if one has many short lived processes, these could well appear to disagree during the time it takes to run chkrootkit, and in fact, I had recently installed something which did result in numerous short lived processes (since removed). This hypothesis was consistent with the irregular nature of the warnings, and further monitoring has not given any credible signs of any actual compromise. In fact, I have not obtained this warning for quite some time.

Next, an example of set of burning questions which I consider very reasonable, but which I have been utterly unable to either answer on my own, or to get anyone with more knowledge to answer at this forum. Namely, "hardening advice" scripts such as tiger and the linux security books I have studied all seem to agree that various specific things which happen by default in Mepis 3.4-3 represent bad security practice. In fact, some things garner the most urgent warning level from tiger. Now, I am aware that the authors of these scripts and of the books I am reading were not using Mepis (sometimes, not even Debian), and that good advice for Mandriva might sometimes be unsuitable for Mepis and vice versa. Still, I have posted at various times very specific questions about very specific concerns. I have dozens of questions like these:

1. Many MEPIS system users by default have valid shells; why is that (so that they can run some script?) and will it break something I need if I try to remove this apparent security hole?

2. Likewise, many MEPIS system users have no home directory; I understand that this can sometimes be exploited to land a black hat in a root shell, so again, why does MEPIS do things this way, and would it break something I need if I try to remove this apparent hole?

3. Why does /dev/log have "srw-rw-rw- 1 root root" permissions? I believe this would only become a risk if I had external users who could log into my system (my intention is to prevent that), but nonetheless I'd like to understand why MEPIS does it this way. (Similar questions for other devices and files.)

4. Why is /var/log/messages world readable? Why are these permissions restored every time I reboot?

A third area in which you (GreyGeek) could probably very helpful to me would be minicourses. I have never quite managed to get a working IDS like Tripwire installed under MEPIS 3.4-3 (before you ask, I have been asking questions here for almost a year in order to try to learn enough to reinstall MEPIS 3.4-3, but this time to do it right). I have never managed to set up apt so that I get signature checking. I have never gotten any clear answer to how exactly I to patch Firefox and other "most abused utilities", although I did manage to get debsecan working for a while, and this suggests a dozen or so critical upgrades to perform immediately after, while offline, shredding my current hard drive, reinstalling MEPIS 3.4-3 from my CD, taking a Tripwire snapshot, setting up a strong firewall with guarddog, and perhaps performing some basic additional hardening.

By the way, although I have asked repeatedly, members of this forum always seem to duck answering the question: have you yourself gotten the signature checking to work when you use apt to upgrade specific packages on your MEPIS installation? (Especially, 3.4-3.)

I have suggested several times that this forum should perhaps have a "security" board, but have received almost no feedback on that suggestion.

feheeszeno

Mock you? Hardly.
You get personal and take offense much too easily, especially after making such sweeping generalization about the character of developers.

That wasn't mockery, just a statement of fact, based on the nature of your accusations.

Perhaps not, perhaps so. What you think you're asking and what you actually ask due to the nature and phrasing of your questions can be two different things. What you think may not be related to permissions and the LSM could actually be. If you are the rookie asking questions why do you assume what the answer you expect will be?

Let me recommend the Rute tutorial: http://rute.2038bug.com/index.html.gz
You can also download a pdf of it from that source.

I made no assumptions about you or what you know. I just answered the question you asked and defended the developers you malined.

ROF, LLL

That chkrootkit problem has been known for quite a while and someone gave you the reason for it. To be safe you can cross check with rkhunter, a rootkit detector recommended by SuSE. The best way to run chkrootkit, rkhunter or f-prot is via a LiveCD. That way you can mount your system without running its kernel or having any processes from it in memory. It's the ONLY way to check a system you believe to be compromised.

While most GUI user/password interfaces cannot do it, users and/or scripts with root permission can add users to a system manually without giving them a "home" account. That is, /etc/skel is not used as a template to create a /home/name directory, or execute the primary bash shell which gives the bash CLI. Bin, sync, deamon, mail, news, irc and postgres are examples of users that do not have "home" accounts, but they have passwords. If you log into your user account and open a bash shell and do "su postgres", and then enter the postgres pasword, you will get an "Authentication Failure" and be returned to your own shell. If you su to root and then su to postgres you'll open an sh shell. MEPIS defaults to blocking remote login as root, so it won't be possible to log into your system remotely using the postgres account even if you know the password. If you haven't installed PostgreSQL on your system, or you have installed it but have removed it, and you still have postgres as a user, then feel free to remove it. Users that use /bin/bash as their login shell are "normal" users. Users that have /bin/sh or /bin/sync or /bin/false are "special" users. Some you can delete, some you should not. Read Rute to learn the differences. By the way... all these users have passwords, unless you've removed the passwords they present no more risk to your system than any other user. It depends on the strength of your passwords. Also, for crackers to exploit these "users" they must have access to your computer, either physically or remotely. Always keep your computer locked up when you are not using it. When you are using it make sure your firewall (on your PC or on your router/modem) does NOT respond in any way to any pings of any kind except via the firewall rules. You can check your Internet connection's stealthiness by visiting http://www.grc.com and running the "ShieldsUp!" port scanner. If all 1,024 of your ports are green then you are invisible to the internet, at least to direct attack. You presence may be inferred by the response to the server prior to the one you are connected to, but crackers can not do anything to you. If so much as one port is blue or, God forbid, red, then you are at risk. If your computer doesn't respond at all to a cracker he cannot break in.

BTW, it should be obvious that breaking into a computer manually, one at a time, is a time consuming and difficult process and one which would not result in a rapid buildup of a stable of 5000 or 10000 zombies. The risks of detection are very great and the rewards are very small, at least for my computer and yours. That's why crackers prefer email attacks depositing viruses or Trojans. Linux doesn't play ball with attachments. The USER must save them, give them execute permissions and then run them. In the hands of a stupid or gullible user no machine is safe.

See above. The only way accounts of "special" users can be exploited is by accessing the root account. To do this the blackhat needs to access the account of a normal user first. But, if a blackhat gets root they could care less about the special users unless they are replacing a special user deamon with their infected version. If users are showing green on all ports with "ShieldsUp!" and don't save, permit and execute unknown or suspect files, the blackhat has no attack route.

Mmm.... my /dev/log doesn't have the suid bit set. In fact, I couldn't find a single device file with the suid bit set. How'd you'rs get set? Unset that bit.

Mine are not. Who changed yours?
Starting with /etc/inittab,
id:5:initdefault:
....
# System initialization.
si::sysinit:/etc/init.d/rcS
...
l5:5:wait:/etc/init.d/rc 5
...

you can follow the initialization scripts in /etc/rc5.d
and check S0.. through S99 scripts to see which one changes the permissions of /var/log/messages. Remove the modification.

While it may be four or five years old most of the info in Rute is still very appropriate. Read it from cover to cover.

Also, let me suggest that you are trying too hard.

MEPIS comes with some very good security preinstalled. I never bother with any security settings, firewall, or anything else when I install MEPIS. I let them install as Warren configured them to install. I tried tripwire but found it a waste of time and effort for my box. If I were running running a server for a FOSS project (read "high profile target") I'd use tripwire, but for you and I... nah. Running chkrootkit from a LiveCD IF I suspect an infection is sufficient.

To get package signing signature checking for files in the repository you need to have KGpg installed. Then you need to download the developers public package signing key, which you can get from their website. Then use the import function to import them into your KGpg keychain.

Oh, about FireFox "patches". Don't. Just uninstall it without removing the confuration file and reinstall the patched binary version from the repository. Patches are diff files. Do you know what they are? If I have a source file, say "neatapp1.0.cpp" and and someone reports a security hole. I fix it in "neatapp1.1.cpp". Then I run the diff command on them and get a file which has +'s for the additions and -'s for the removals and call it "neatapp1.0.patch", or something like that. I make the patch file and checksum file available for download by my users. They run the patch command on the patch file and it converts THEIR copy of "neatapp1.0.cpp" to "neatapp1.1.cpp". Then they recompile neatapp and install it. If you are using the repository then you are downloading a binary of FireFox, not the source. You don't need the patch file. It's not a good idea to download the FireFox source and compile it if you are having the kinds of questions you're asking.

Yes, I have the package signing keys working. Othewise, you get those annoying message when you install apps.

It's sufficient for me that Warren and his crew keep abreast of the security issues because they are the developers. Warren has his livelyhood and reputation riding on MEPIS, and he wouldn't throw it away with something as trivial as security awareness.

That's one of the many reasons why I like MEPIS... it's quality and security.
--
GreyGeek

Dear GreyGeek,

You seem to provide much good information here. Since you are apparently are well placed to ameliorate the problem I was complaining about, it is really sad that in another thread, you chose instead to continue to attack me as a suspected troll or Microsoft operative, despite my explicit denials.

For the record: I can no longer edit the original "parable of Yelm". If I could, I would edit it to clarify that I recognize that linux is open source and that my complaint is that no-one here, including yourself, ever seems to explain why the default installation of MEPIS (3.4-3 at least) seems to run afoul of so many scripts like Tiger or Bastille which look for elementary security holes. I certainly did not intend to appear to attack Warren. I had the impression that he was the only MEPIS developer, and I am very glad to learn that he does have some helpers. I am in fact grateful to WW for his effort in providing MEPIS and (as ought to be clear from the fact that I have been using MEPIS for more than a year!) I am a big fan of MEPIS and have recommended it to others. OK?

Since it seems you, GrayGeek, probably have much valuable information to provide in this forum, I hope you will be willing to let things cool off and allow calmer heads to prevail. You will presumably be glad to know that I do use ShieldsUp and I do have a strong firewall, in fact I routinely obtain a perfect score from Gibson. However, you are still making false assumptions. I ask you to consider the possiblity that because I do not fit into your preconceived pigeonholes, you are rushing to assume (quite falsely) that I must be lying about who or what I am, when in fact, the problem is simply that the spectrum of Mepis user backgrounds and needs is larger than you have apparently so far recognized. In short, it seems clear, at least to me, that this whole kerfluffle is based upon a misunderstanding.

I am willing to accept some share of the blame for that (if it is really neccessary to assign blame) because in retrospect I can see that my parable was open to interpretation in ways I did not intend, and I apologize the forum for any possible errors of judgement. Anyone searching for my past posts in this forum will see that I have tried many more conventional attempts to get some answers to my various burning questions before resorting to parable. (Obviously, this modern would-be Aesop somewhat misjudged the good humor of the audience...)

But also think you, GreyGeek, need to be willing to recognize that the explanation I have offered for the "odd features" of my posts which you have noted is not implausible: I happen to believe I have good reason to worry about my system security, so I have studied many books on security (including the Rute manual), but because I am not a programmer, I have apparently misunderstood much of what I read. I have used *nix for many years, but only very recently have I purchased home computers and therefore, only very recently have I been forced to try to learn how to be a sysadmin, which has been quite a struggle.

By the way, you mentioned an issue which I am well aware of--- many available tutorials appear to be seriously out of date. It can be very difficult for a non developer to intuit how valuable an older resource currently is, and your comment that the Rute manual is still useful today is a n example of the kind of advice I'd like to see gathered up in a "hardening MEPIS" tutorial. I don't think it is unreasonable to ask the MEPIS developers to at least respond to my plea that they cooperate with those who would like to help prepare such a tutorial. (My own contribution, obviously, would be limited to asking questions and trying to understand/test the answers.)

To repeat: the intent of the parable was to urge developers of linux distros generally to try harder to provide more documentation. I am eager to learn and am presumably not stupid--- although as I said I am not a programmer and am hardly about to metamorphose into something I am not--- so it is frustrating when I can't find answers to simple questions. I keep having the feeling that with more help, I would get "over the hump" and start learning much more on my own. But I still seem to be stuck at not being able to understand most of the documentation I am reading. IOW, I was pleading for more information, if possible presented in ways (tutorials?) a bit more comprehensible for an intelligent and hardworking user who happens not to be a professionally trained programmer.

Again, the whole point of my parable was that I feel there is an unmet need for documention/tutorials useful to nondevelopers who wish to "know their system". Providing them would surely be in the spirit of open-source, since I take it everyone will agree that it is unreasonable to expect that every user be a developer or even a programmer; not everyone has the background or talents to fill those niches. I'd like to part of the solution to this problem. In fact, I feel that my questions over the past year could provide a basis for planning a tutorial of the kind I'd like to see provided at this website.

For anyone else who might try to help me out here--- thanks in advance. Can anyone verify that MEPIS 3.4-3 install from the live CD using the install script provided does not have the strange features I noted like world writeable /dev/log? I would be glad to hear that! If it is true, I have no idea how this happened in my own system; I can only guess that in trying to install something I somehow broke things in such a way that some really weird stuff happened. For what it is worth, I am more or less reconciled to reinstalling from the disk and trying to rebuild the system all over again. This is a pain, but I do feel that with each pass I know much more so can hope to do a much better job on the next iteration. Thanks in advance or any assistance or advice as I plan my reinstall/rebuild!

feheeszeno

I'm kind of busy to do a clean reinstall just to check that, however you are free to check for yourself, I recommend doing a clean install of MEPIS in VMWare or other VM. If you plan to reinstall anyway then you can do that without the VMWare...

--
Check out MEPIS Wiki: www.mepis.org/docs

Chat with me.

Hi all,

So imagine my consternation when a mysterious and unwanted connection to hostip.info occurs on the very day that someone (GrayGeek) is accusing me of being a Microsoft secret agent. (I am not, as I keep saying, and at this point it is ridiculous that anyone would seriously believe that--- sheesh, check all my past postings here!) Yeah, it would be funny if it weren't so freaky. So whoever you are, assuming this was indeed no coincidence, I hope we can all have a good laugh about this someday, but in future, can you at least tell me before you probe me? Or whatever the heck that was. I mean, my gosh, you know?! This isn't helping to calm the troubled waters.

BTW, I thought my (dynamic) IP when I connect to this forum was supposed to be private information? Gosh, I'd sure appreciate any reassurance from the mepis staff right about now, since I really am a loyal customer.

OK, enough of that, I hope.

Hi, AdrianTW, I wasn't suggesting that anyone should do a clean install to check the permissions of /dev/log for me, I meant: can someone who like me is currently using MEPIS 3.4-3 do me a favor and quickly check their own permissions? Or even install tiger and run a check and see if like me they get pages and pages of warnings?

Sigh... I am reconciled to a clean install from the MEPIS 3.4-3 live CD install script, which hopefully will clear up my weird problems with odd file permissions which keep getting reset every time I reboot, and maybe some of the other things tiger was worried about too.

Let's see... one of the first things I'd want to do after installing from the disk, while I am still off-line, would be to take a tripwire snapshot or something comparable. (I have suggested in the past that something of this kind might be good to include with future editions of MEPIS, not that this will help me since I want to stay with 3.4-3 for reasons already explained in various posts by myself.) In the past I have not been able to install tripwire, although if anyone who cares checks back I tried to make do with fcheck. I have asked about this repeatedly in the past, and some of you did try to help me, for which thanks, but somehow I just was never able to make it work. AFAIK, tripwire or another IDS is not part of the default MEPIS 3.4-3 install, so I guess I'll need to have a deb or rpm or (gulp) source at hand before I wipe my current disk? Or would I use a live CD like Knoppix to somehow download and install tripwire? Bear with me, please, lots of stuff going on and I'm more than a bit frazzled. TIA!

feheeszeno

Not mysterious. Check out http://hostip.info It is a website where

As far as being unwanted, the hostip plugin won't install it self without your help, knowingly or unknowingly.

You have a 'tripwire', something to compare files on your installation with.... It's the LiveCD.

--
GreyGeek

OK, I guess we can all have a good laugh about this someday, but GrayGeek, you seemed so suspicious of me earlier today I really thought this was somehow something you did!

Fortunately, I think I've pieced together a much more plausible explanation. A few weeks ago I installed a few Firefox extensions, including Noscript. I think Noscript installs the hostip extension (not "plugin"? is there a difference, or they just trying to confuse me again?) when you install Noscript. So, with probability 0.9999, what I observed was simply Firefox automatically looking for updates to the small number of extensions I have installed, and seeking out and successfully updating this particular extension.

OK, go ahead and laugh, but this is where all this intrusive monitoring/marketing crap has gotten those humble citizens who are aware of just how much of it is going on: rampant raging paranoia. I highly recommend David H. Holtzman, Privacy Lost, Wiley, 2006, to anyone who doesn't know what I am talking about. Then http://www.eff.org/ and http://www.aclu.org/privacy/index.html. The scary thing is, I have only been looking into this for a year or so, and when I read the book by Holtzman, two things became apparent: 1. I already knew everything he mentions (well, almost everything) and 2. As far as I can tell, the situation is actually even scarier than he claims. If you use those loyalty cards, your goose is cooked, my friend! My point (and Holtzman's point) is: sure, government monitoring of antiwar bloggers is scary, but commercial data brokers are much scarier! (At least, for citizens of "the Western democracies".)

But I still have a question about this extension or plugin or whatever I should call it: I thought that the purpose of this hostip thingie was to query the database. That is, after installing noscript and as it turns out, this hostip-plugin, when I hold my mouse cursor over a link at a forum like this, I get a small yellow popup with the IP and putative geolocation, which is enormously helpful since I am paranoid about not following links to places unknown!

But from what you said, it almost sounds like it also broadcasts the geolocation of my current IP (provided dynamically by my ISP), which would rather defeat the purpose on those occasions when, as an aspiring blogger, and following the advice at the EFF and ACLU websites, I am experimenting with Tor (the onion router)--- see the thread in which I discussed this on this forum. Does anyone know?

BTW, I asked someone earlier today about their database and he told me it wasn't even close when he tried asking where his own ip is geolocated. However, I've found it to reliably give the right answer where I already know the true geolocation, e.g. mepis.org. I've also queried it on those occasions when I am experimenting with Tor to see if it shows that I am putatively now in some country on the other side of the world (yes). (Additional: I just tried my correct current ip, and sure enough, their database was way off, so I corrected it using their handy tool, just to give something back to the community. Of course, whois would have told them the correct geolocation from the getgo, so I don't understand why they were so far off.)

As a general comment for all you developers out there: I am vaguely aware that many users would not like to get a message every time something installed on their computer decides it would be a good idea to go out and get something else to install, but speaking for myself, I would like to be asked "Do you wish to allow UtilityNice to seek out and install PluginNasty? (Y/N)" before it happens. I would really, really, really like this! Sure, I can see it would get to be a bit of a pain, but to me it would be well worth it, and I'd like to be given this option.

Oh wow, I sure hope you aren't suggesting that I should compare md5sums binary by binary or something like that. Because I see two huge problems with that suggestion: 1. it is inconvenient 2. it won't cover anything I do after the initial default installation from the live CD, like downloading more goodies from the repos.

If you look for it, you can find a long ago thread in which I tried awfully hard to get some good advice on installing an IDS (right after installing from the live CD, while still off-line, as all the documentation insists upon for reasons I think I appreciate), but I never did get really workable advice. I myself stumbled over fcheck, but this never did work out very well for me. I was able to install it and I did try to use it for a while, to try to get some sense of whether it is workable as an IDS, but I concluded that at least for clueless n00bs, it is not workable. If I simply didn't know what I was doing, please tell me how to do it right.

Any further information/advice about the hostip plugin would be appreciated. Ditto for serious suggestions for an IDS to be set up immediately after the base install from the live CD, while still off-line. TIA.

feheeszeno

Na, there are tools for that.... awk, grep, etc...
The Linux tutorial I recommended to you explains how to compare files from two different sources and print the differences, or what ever you want to do.

--
GreyGeek