Chkrootkit messages ?
Bob Goodwin
bobgoodwin at wildblue.net
Mon May 1 13:48:41 UTC 2006
David Timms wrote:
> Bob Goodwin wrote:
>>
>> This is a fairly new FC5 installation, new ISP, and new wireless
>> router system, all together adding up to numerous possibilities for
>> errors. I installed and ran "chkrootkit" this morning with the
>> following result and don't know how to deal with it? Any suggestions
>> appreciated.
>>
>> Checking `asp'... not infected
>> Checking `bindshell'... not infected
>> Checking `lkm'... You have 1 process hidden for readdir command
>> You have 1 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
> I get:
> Checking `lkm'... chkproc: nothing detected
>
> ...
>> Checking `chkutmp'... The tty of the following user process(es) were
>> not found
>> in /var/run/utmp !
>> ! RUID PID TTY CMD
>> ! root 2301 tty7 X :0 -auth /root/.serverauth.2284
>> chkutmp: nothing deleted
> rkhunter and possibly chkrootkit have not been modified to take into
> account the FC5 norms (I think).
>
>> I scanned from "/" with f-prot yesterday and there were no
>> indications of "infection."
> The point of a rootkit is that any command / program could no longer
> be trusted: eg scanner asks OS: "open file x to check if its a got a
> virus" OS responds with "data" - but it is not the real data inside
> the file.
>
> I've got the following installed:
> rkhunter-1.2.8-3.fc5
> chkrootkit-0.46a-2.2.fc5.rf
>
> Is your chkrootkit the same version ?
>
> It think it's worth installing rkhunter (either from core or extras -
> I've forgotten) for a second opinion.
>
> DaveT.
>
I did yum install this morning and "chkrootkit -V" shows "chkrootkit
version 0.46"
I'll try rkhunter as you suggest, if all else fails I guess I can
re-install but hate to wipe out my configuration effort to date.
Thanks. BobG
More information about the fedora-list
mailing list