On 9/25/10 11:05 PM, Ed Greshko wrote: > On 09/26/2010 01:52 PM, JD wrote: >> On 09/25/2010 10:42 PM, Ed Greshko wrote: >>> On 09/26/2010 12:54 PM, JD wrote: >>>> Well,if my machine was rooted, and I have a firewall that >>>> drops ALL incoming requests, then how was it rooted if not >>>> through some package or through the kernel itself? >>> I would suggest folks take a step back and do some research on "lkm >>> false positive" before jumping to a conclusion that they have a problem. >>> >> Well, ... before jumping to conclusion that who has a problem? >> rkhunter or chkrootkit? I assume you mean rkhunter?? >> If so, I tend to agree. I saw a lot of google hits reporting >> false positives by chkrootkit. >> > Any of these "detection applications" can report false positives. Which > is why they report "your system *may* be infected" or "*Possible* XXX > installed...". > > My message is simple. If you run these apps and they say you may be > infected...don't jump to a conclusion and nuke your system. > It is quite interesting that the files that were infected are those files. And I agree that blowing away the system should be a 'last resort' action, but the OP is under the opinion that the system was indeed rooted due to a review of the auditing logs which show these files were changed from the outside. Firewalls are breachable, BTW. It was fun to watch the TV ads with the African Female talking with the 17 year old's voice that had cracked her account and then he used her money to build 'a Robot that I'm taking to the Senior Prom'. She was not amused. Also, it is a good idea to use TWO or more tools to verify that you were 'rooted'. A check of the file change dates will also reveal if you were breached. James McKenzie -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines