On 9/26/10 8:17 AM, JD wrote: > > On 09/26/2010 05:49 AM, James McKenzie wrote: >> On 9/25/10 11:05 PM, Ed Greshko wrote: >>> On 09/26/2010 01:52 PM, JD wrote: >>>> On 09/25/2010 10:42 PM, Ed Greshko wrote: >>>>> On 09/26/2010 12:54 PM, JD wrote: >>>>>> Well,if my machine was rooted, and I have a firewall that >>>>>> drops ALL incoming requests, then how was it rooted if not >>>>>> through some package or through the kernel itself? >>>>> I would suggest folks take a step back and do some research on "lkm >>>>> false positive" before jumping to a conclusion that they have a problem. >>>>> >>>> Well, ... before jumping to conclusion that who has a problem? >>>> rkhunter or chkrootkit? I assume you mean rkhunter?? >>>> If so, I tend to agree. I saw a lot of google hits reporting >>>> false positives by chkrootkit. >>>> >>> Any of these "detection applications" can report false positives. Which >>> is why they report "your system *may* be infected" or "*Possible* XXX >>> installed...". >>> >>> My message is simple. If you run these apps and they say you may be >>> infected...don't jump to a conclusion and nuke your system. >>> >> It is quite interesting that the files that were infected are those files. >> >> And I agree that blowing away the system should be a 'last resort' >> action, but the OP is under the opinion that the system was indeed >> rooted due to a review of the auditing logs which show these files were >> changed from the outside. >> >> Firewalls are breachable, BTW. It was fun to watch the TV ads with the >> African Female talking with the 17 year old's voice that had cracked her >> account and then he used her money to build 'a Robot that I'm taking to >> the Senior Prom'. She was not amused. >> >> Also, it is a good idea to use TWO or more tools to verify that you were >> 'rooted'. A check of the file change dates will also reveal if you were >> breached. >> >> James McKenzie >> > It was a false positive. > At the end of my $PATH was a bin dir for many scripts I create > to make my typing less tedious. One of the scripts was called psu > and it invoked ps with different options. > I moved it to /tmp and re-ran chkrootkit and it came clean. > No rootkit. > Good news and no need to go nuclear on the system... James McKenzie -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
