Re: Chkrootkit messages ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Timms wrote:

Bob Goodwin wrote:
This is a fairly new FC5 installation, new ISP, and new wireless router system, all together adding up to numerous possibilities for errors. I installed and ran "chkrootkit" this morning with the following result and don't know how to deal with it? Any suggestions appreciated. 

Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have     1 process hidden for readdir command
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

I get:
Checking `lkm'... chkproc: nothing detected

...
Checking `chkutmp'... The tty of the following user process(es) were not found 
in /var/run/utmp !
! RUID          PID TTY    CMD
! root         2301 tty7   X :0 -auth /root/.serverauth.2284
chkutmp: nothing deleted
rkhunter and possibly chkrootkit have not been modified to take into account the FC5 norms (I think).
I scanned from "/" with f-prot yesterday and there were no indications of "infection."
The point of a rootkit is that any command / program could no longer be trusted: eg scanner asks OS: "open file x to check if its a got a virus" OS responds with "data" - but it is not the real data inside the file. 

I've got the following installed:
rkhunter-1.2.8-3.fc5
chkrootkit-0.46a-2.2.fc5.rf

Is your chkrootkit the same version ?
It think it's worth installing rkhunter (either from core or extras - I've forgotten) for a second opinion. 

DaveT.


-----------------------------------------------
Installed "rkhunter" via yum and ran it, it seemed to say the check for "LKM" was ok? 
But reported the following:

------------------------------------------------

* Filesystem checks
  Checking /dev for suspicious files...                      [ OK ]
  Scanning for hidden files...                               [ Warning! ]
---------------
/dev/.udev  /usr/share/man/man1/..1.gz  /etc/.pwd.lock /etc/.java
---------------
Please inspect: /dev/.udev (directory) /usr/share/man/man1/..1.gz (gzip compressed data, from Unix, max compression) /etc/.java (directory) 

[Press <ENTER> to continue]

--------------------------------------------

And finally it reports:

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Scanning took 311 seconds
------------------- Mon, 01 May 2006 10:08:02 -0400 -------------------
Of course I'm not certain of the validity of either check when chkrootkit and rkhunter are installed "after the fact?" 

BobG
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux