Chrootkit found "suspicious" file
Rich Lafferty
rich+rhl at lafferty.ca
Mon Feb 27 15:56:53 UTC 2006
On Wed, Feb 22, 2006 at 04:23:10PM -0600, Mike McCarty <mike.mccarty at sbcglobal.net> wrote:
> I ran chrootkit today, and it spit this out [in the middle
> of a bunch of "nothing found" reports]
>
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
> /usr/lib/qt-3.3/etc/settings/.qtrc.lock
> /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/Gaim/.packlist
> /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist
> /lib/modules/2.6.10-1.771_FC2/build/.config
> /lib/modules/2.6.10-1.771_FC2/build/scripts/.pnmtologo.cmd
> /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.genksyms.cmd
> /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.parse.o.cmd
> /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.lex.o.cmd
> [etc]
>
> Total of 200 files it didn't like. I don't see anything there that
> looks particularly suspicios. What's going on? Anyone know?
My guess is that they are suspicious because they are dotfiles in
directories that aren't home directories. If chkrootkit didn't claim
that it detected some particular rootkit, it's just telling you that you
might want to look at those to decide whether or not they belong there.
> It also found this...
>
> Checking `chkutmp'... The tty of the following user process(es) were
> not found
> in /var/run/utmp !
> ! RUID PID TTY CMD
> ! root 3928 tty1 /sbin/mingetty tty1
> ! root 3939 tty2 /sbin/mingetty tty2
> ! root 3945 tty3 /sbin/mingetty tty3
> ! root 3951 tty4 /sbin/mingetty tty4
> ! root 3957 tty5 /sbin/mingetty tty5
> ! root 4082 tty6 /sbin/mingetty tty6
> chkutmp: nothing deleted
Because no-one is logged in on them. That's the program that displays
the login prompt on your console; utmp entries belong to logged-in
users.
-Rich
--
Rich Lafferty --------------+-----------------------------------------------
Ottawa, Ontario, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html
rich at lafferty.ca -----------+-----------------------------------------------
More information about the fedora-list
mailing list