[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: chkrootkit - suspicious files question



On Sun, 2005-04-03 at 23:03 -0400, Jim Cornette wrote:
> Gene Heskett wrote:
> > On Sunday 03 April 2005 08:42, Jim Cornette wrote:
> > 
> >>Since there was discussions regarding rootkits and how they are
> >>getting into systems, I ran chkrootkit and am more concerned about
> >>the suspicious files that it referred to.
> >>
> >>Searching for suspicious files and dirs, it may take a while...
> >>/usr/lib/perl5/5.8.6/i386-linux-thread-multi/.packlist
> >>/usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi/auto/NKF/.p
> >>acklist
> >>/usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi/auto/mod_p
> >>erl/.packlist
> >>
> >>/usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi/auto/Gaim/.
> >>packlist
> >>
> >>/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/DCOP/.pa
> >>cklist
> >>
> >>
> >>Hopefully this does not indicate anything to be alarmed about. Is
> >>this a rational assumption?
> >>
> >>Jim
> > 
> > 
> > I don't think these are Jim.  But do pay attention to the names a 
> > level or so back up the tree, I suppose there could be a surprise 
> > there.
> 
> Not to sound dense, but the linux threads are they not used for 2.6 
> kernels and for the nptl backported kernels? I'm probably looking at the 
> wrong portion of the path to th file.
> 
> Looking through the packlist, I could see why it is marked suspicious. :-)

Have you installed any perl modules manually (i.e. not using RPMs)? That
might well result in .packlist files like these.

Paul.
-- 
Paul Howarth <paul city-fan org>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]