Chkrootkit messages ?

Bob Goodwin bobgoodwin at wildblue.net
Mon May 1 14:16:44 UTC 2006 

David Timms wrote:
> Bob Goodwin wrote:
>>
>> This is a fairly new FC5 installation, new ISP, and new wireless 
>> router system, all together adding up to numerous possibilities for 
>> errors.  I installed and ran "chkrootkit" this morning with the 
>> following result and don't know how to deal with it?  Any suggestions 
>> appreciated.
>>
>> Checking `asp'... not infected
>> Checking `bindshell'... not infected
>> Checking `lkm'... You have     1 process hidden for readdir command
>> You have     1 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
> I get:
> Checking `lkm'... chkproc: nothing detected
>
> ...
>> Checking `chkutmp'...  The tty of the following user process(es) were 
>> not found
>> in /var/run/utmp !
>> ! RUID          PID TTY    CMD
>> ! root         2301 tty7   X :0 -auth /root/.serverauth.2284
>> chkutmp: nothing deleted
> rkhunter and possibly chkrootkit have not been modified to take into 
> account the FC5 norms (I think).
>
>> I scanned from "/" with f-prot yesterday and there were no 
>> indications of "infection."
> The point of a rootkit is that any command / program could no longer 
> be trusted: eg scanner asks OS: "open file x to check if its a got a 
> virus" OS responds with "data" - but it is not the real data inside 
> the file.
>
> I've got the following installed:
> rkhunter-1.2.8-3.fc5
> chkrootkit-0.46a-2.2.fc5.rf
>
> Is your chkrootkit the same version ?
>
> It think it's worth installing rkhunter (either from core or extras - 
> I've forgotten) for a second opinion.
>
> DaveT.
>
-----------------------------------------------

Installed "rkhunter" via yum and ran it, it seemed to say the check for 
"LKM" was ok?
But reported the following:

------------------------------------------------

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
 /dev/.udev  /usr/share/man/man1/..1.gz  /etc/.pwd.lock /etc/.java
---------------
Please inspect:  /dev/.udev (directory)  /usr/share/man/man1/..1.gz 
(gzip compressed data, from Unix, max compression)  /etc/.java (directory)

[Press <ENTER> to continue]

--------------------------------------------

And finally it reports:

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Scanning took 311 seconds
------------------- Mon, 01 May 2006 10:08:02 -0400 -------------------


Of course I'm not certain of the validity of either check when 
chkrootkit and rkhunter are installed "after the fact?"

BobG

More information about the fedora-list mailing list