Chkrootkit messages ?
David Timms
dtimms at bigpond.net.au
Mon May 1 13:37:19 UTC 2006
Bob Goodwin wrote:
>
> This is a fairly new FC5 installation, new ISP, and new wireless router
> system, all together adding up to numerous possibilities for errors. I
> installed and ran "chkrootkit" this morning with the following result
> and don't know how to deal with it? Any suggestions appreciated.
>
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
I get:
Checking `lkm'... chkproc: nothing detected
...
> Checking `chkutmp'... The tty of the following user process(es) were
> not found
> in /var/run/utmp !
> ! RUID PID TTY CMD
> ! root 2301 tty7 X :0 -auth /root/.serverauth.2284
> chkutmp: nothing deleted
rkhunter and possibly chkrootkit have not been modified to take into
account the FC5 norms (I think).
> I scanned from "/" with f-prot yesterday and there were no indications
> of "infection."
The point of a rootkit is that any command / program could no longer be
trusted: eg scanner asks OS: "open file x to check if its a got a virus"
OS responds with "data" - but it is not the real data inside the file.
I've got the following installed:
rkhunter-1.2.8-3.fc5
chkrootkit-0.46a-2.2.fc5.rf
Is your chkrootkit the same version ?
It think it's worth installing rkhunter (either from core or extras -
I've forgotten) for a second opinion.
DaveT.
More information about the fedora-list
mailing list