Re: Weird Network Manager Problem (Updated)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 09/26/2010 05:49 AM, James McKenzie wrote:
>    On 9/25/10 11:05 PM, Ed Greshko wrote:
>>    On 09/26/2010 01:52 PM, JD wrote:
>>> On 09/25/2010 10:42 PM, Ed Greshko wrote:
>>>>     On 09/26/2010 12:54 PM, JD wrote:
>>>>> Well,if my machine was rooted, and I have a firewall that
>>>>> drops ALL incoming requests, then how was it rooted if not
>>>>> through some package or through the kernel  itself?
>>>> I would suggest folks take a step back and do some research on "lkm
>>>> false positive" before jumping to a conclusion that they have a problem.
>>>>
>>> Well, ...  before jumping to conclusion that who has a problem?
>>> rkhunter or chkrootkit?  I assume you mean rkhunter??
>>> If so, I tend to agree. I saw a lot of google hits reporting
>>> false positives by chkrootkit.
>>>
>> Any of these "detection applications" can report false positives.  Which
>> is why they report "your system *may* be infected" or "*Possible* XXX
>> installed...".
>>
>> My message is simple.  If you run these apps and they say you may be
>> infected...don't jump to a conclusion and nuke your system.
>>
> It is quite interesting that the files that were infected are those files.
>
> And I agree that blowing away the system should be a 'last resort'
> action, but the OP is under the opinion that the system was indeed
> rooted due to a review of the auditing logs which show these files were
> changed from the outside.
>
> Firewalls are breachable, BTW.  It was fun to watch the TV ads with the
> African Female talking with the 17 year old's voice that had cracked her
> account and then he used her money to build 'a Robot that I'm taking to
> the Senior Prom'.  She was not amused.
>
> Also, it is a good idea to use TWO or more tools to verify that you were
> 'rooted'.  A check of the file change dates will also reveal if you were
> breached.
>
> James McKenzie
>
It was a false positive.
At the end of my $PATH was a bin dir for many scripts I create
to make my typing less tedious. One of the scripts was called psu
and it invoked ps with different options.
I moved it to /tmp and re-ran chkrootkit and it came  clean.
No rootkit.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux