LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-08-2013, 03:20 PM   #1
Richard14
Member
 
Registered: Nov 2009
Location: Near Ludlow
Distribution: Ubuntu 12.04
Posts: 74
Blog Entries: 1

Rep: Reputation: 0
chkrootkit


Dell Dimension 2400 OS Ubuntu 12.04 1GB ram.

Please could you offer any advice?

While running chkrootkit for the first time old an old installation the following was a part of the output....

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo /usr/lib/jvm/.java-7-oracle.jinfo /usr/lib/jvm/java-7-oracle/lib/visualvm/visualvm/.lastModified /usr/lib/jvm/java-7-oracle/lib/visualvm/platform/.lastModified /usr/lib/jvm/java-7-oracle/lib/visualvm/profiler/.lastModified /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit


Thank you

Richard
 
Old 05-08-2013, 06:15 PM   #2
gdizzle
Member
 
Registered: Jul 2012
Posts: 206

Rep: Reputation: Disabled
Here they claiming serveral false positives: http://comments.gmane.org/gmane.linu...an.user/451559

But I have no actual experience with it so I cannot comment on the reliability of the source.
 
Old 05-08-2013, 11:43 PM   #3
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,185
Blog Entries: 1

Rep: Reputation: Disabled
I used to get a lot of false positives when I ran 'chkrootkit' and 'rkhunter'also-

If you are suspicious you could run ClamAV or ClamTK and do a full scan of your system.
If you want to and if you have one of those on your system.

To run a scan and check your system with ClamTK open the terminal and run:
Code:
clamscan -r /
http://www.reazul.net/how-to-use-cla...and-linuxmint/
http://clamtk.sourceforge.net/faq.html

http://www.linuxforu.com/2011/01/imp...ntion-systems/
http://www.symantec.com/connect/arti...etection-linux

Last edited by Ztcoracat; 05-08-2013 at 11:46 PM.
 
Old 05-08-2013, 11:48 PM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
You might also want to ask the Mods (via the Report button) to move this to the Security Forum. That's where I've seen most Q&As re chkrootkit & rkhunter.
 
Old 05-08-2013, 11:55 PM   #5
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,185
Blog Entries: 1

Rep: Reputation: Disabled
UnSpawn is very good with Linux Security!
 
Old 05-09-2013, 12:26 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,910

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
In the security sub-forum, there are already ~600 threads with matches for 'chkrootkit'; I'd guess one in two or one in three are on the subject, or mention the subject, of (possible) false positives. Look through a few and you should notice something relevant. (and, Chris's suggestion of getting a mod to move this there was a good one - it will get an answer there).

And, if you want anyone to read through your list of (potential) false positives, could you post that in code tags please(either use the little icon above the message window, or add them manually)?

It is just unreadable as it is, so you would be being very helpful in doing that. Otherwise, people will tend to just read this as an undifferentiated succession of filenames, without any separators and not check any of the detail (well, that's what I did...there is something about python and something about oracle. but beyond that, I don't know).

Last edited by salasi; 05-09-2013 at 12:28 AM. Reason: stop code tags being directly interpreted (grrr!)
 
Old 05-09-2013, 02:38 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
+1, should probably be moved.

What these file names have in common is they all start with a dot:
Code:
/usr/lib/pymodules/python2.7/.path 
/usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo 
/usr/lib/jvm/.java-7-oracle.jinfo 
/usr/lib/jvm/java-7-oracle/lib/visualvm/visualvm/.lastModified 
/usr/lib/jvm/java-7-oracle/lib/visualvm/platform/.lastModified 
/usr/lib/jvm/java-7-oracle/lib/visualvm/profiler/.lastModified 
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
In Ye Aulden Days using a dot was one way to "hide files in plain sight" as for most users it would not be common to have an 'ls' alias that included the "-a" switch (mine is by default aliased to '/bin/ls -al --time-style=long-iso --quoting-style=c' and I export "LS_COLORS=no"). These days there's easier ways to hide files and better ways to spot changes (running a system file integrity checker like Samhain, AIDE, hell even tripwire would be suggested).

How to find out what these files are about? For starters 0) using your distributions package manager to find out what package the file is part of ('dpkg -S /usr/lib/jvm/.java-7-oracle.jinfo'), verifying package contents integrity with say 'debsums -c name-of-package' (though debsums needs to be installed beforehand unfortunately to trigger post-apt-get hash generation), 1) examination of MAC times ('stat /usr/lib/jvm/*') to see if they are similar or not, 2) running 'file' on the file to find out what it contains and 3) visual inspection using a pager, 'strings', readelf, EXIF tools or whatever else simple, non-modifying(!) tool you use.


*Please note "security" isn't about running Chkrootkit, Rootkit Hunter, OSSEC HIDS or any other single tool but hardening the machine right after OS installation, regularly auditing and adjusting access controls and remaining vigilant ever: in short a continuous process based upon a sound foundation.
 
Old 05-09-2013, 11:25 AM   #8
Richard14
Member
 
Registered: Nov 2009
Location: Near Ludlow
Distribution: Ubuntu 12.04
Posts: 74
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Also please could you advise how to view the following LOG :-

/var/log/rkhunter.log

and

/var/log/chkrootkit.log
 
Old 05-09-2013, 11:27 AM   #9
Richard14
Member
 
Registered: Nov 2009
Location: Near Ludlow
Distribution: Ubuntu 12.04
Posts: 74
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Thank you all for your help.
 
Old 05-09-2013, 11:38 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by Richard14 View Post
Also please could you advise how to view the following LOG :-

/var/log/rkhunter.log

and

/var/log/chkrootkit.log
These are plain text files so you can read them with any pager, visual editor or text processor you like. I usually run
Code:
less /var/log/rkhunter.log /var/log/chkrootkit.log
:n for the next file, :p for the previous one and :q to quit.
 
Old 05-09-2013, 11:41 AM   #11
Ztcoracat
Senior Member
 
Registered: Dec 2011
Distribution: Slackware, CentOS & Android
Posts: 3,185
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by Richard14 View Post
Also please could you advise how to view the following LOG :-

/var/log/rkhunter.log

and

/var/log/chkrootkit.log
You would view that log in your terminal:-
For example:
When I want to look at my sources.list I open the terminal type in the text editor's name that I use followed by the path and name of the file I would like to view. I use Nano or Gedit- Like this:
Code:
nano /etc/apt/sources.list (press Enter)

There is a variety of text editors and everyone has their own preference.

http://www.thegeekstuff.com/2009/07/...-text-editors/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
6.2 no chkrootkit? qwertyjjj Linux - Server 3 02-29-2012 06:30 AM
what does that mean (chkrootkit)? sycamorex Linux - Security 4 08-07-2009 04:34 AM
chkrootkit EchoWarrior Linux - Newbie 2 04-20-2006 04:45 PM
chkrootkit ? jmanjeff Linux - Security 2 05-31-2005 11:15 PM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 02:21 AM


All times are GMT -5. The time now is 08:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration