Chrootkit found "suspicious" file
John Summerfield
debian at herakles.homelinux.org
Mon Feb 27 22:32:54 UTC 2006
Mike McCarty wrote:
> Rich Lafferty wrote:
>
>> On Wed, Feb 22, 2006 at 04:23:10PM -0600, Mike McCarty
>> <mike.mccarty at sbcglobal.net> wrote:
>>
>>> I ran chrootkit today, and it spit this out [in the middle
>>> of a bunch of "nothing found" reports]
>>>
>>> Searching for suspicious files and dirs, it may take a while...
>>> /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
>>> /usr/lib/qt-3.3/etc/settings/.qtrc.lock
>
>
> [snip]
>
>>>
>>> Total of 200 files it didn't like. I don't see anything there that
>>> looks particularly suspicios. What's going on? Anyone know?
>>
>>
>>
>> My guess is that they are suspicious because they are dotfiles in
>> directories that aren't home directories. If chkrootkit didn't claim
>> that it detected some particular rootkit, it's just telling you that you
>> might want to look at those to decide whether or not they belong there.
>
>
>
> That's certainly a posibility. But I've run it before without
> it complaining, and I haven't upgraded chrootkit. Also, the
> dates on those files are mostly 2004.
See this:
[summer at bilby downloads]$ ls --time=ctime xdialog-2.1.2-1.rf.src.rpm
-rw-rw-r-- 1 summer 451396 Jan 4 19:27 xdialog-2.1.2-1.rf.src.rpm
[summer at bilby downloads]$ ls xdialog-2.1.2-1.rf.src.rpm
-rw-rw-r-- 1 summer 451396 Feb 22 2005 xdialog-2.1.2-1.rf.src.rpm
[summer at bilby downloads]$
It's the first that's important.
More information about the fedora-list
mailing list