Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
While running chkrootkit for the first time old an old installation the following was a part of the output....
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.7/.path /usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo /usr/lib/jvm/.java-7-oracle.jinfo /usr/lib/jvm/java-7-oracle/lib/visualvm/visualvm/.lastModified /usr/lib/jvm/java-7-oracle/lib/visualvm/platform/.lastModified /usr/lib/jvm/java-7-oracle/lib/visualvm/profiler/.lastModified /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
You might also want to ask the Mods (via the Report button) to move this to the Security Forum. That's where I've seen most Q&As re chkrootkit & rkhunter.
In the security sub-forum, there are already ~600 threads with matches for 'chkrootkit'; I'd guess one in two or one in three are on the subject, or mention the subject, of (possible) false positives. Look through a few and you should notice something relevant. (and, Chris's suggestion of getting a mod to move this there was a good one - it will get an answer there).
And, if you want anyone to read through your list of (potential) false positives, could you post that in code tags please(either use the little icon above the message window, or add them manually)?
It is just unreadable as it is, so you would be being very helpful in doing that. Otherwise, people will tend to just read this as an undifferentiated succession of filenames, without any separators and not check any of the detail (well, that's what I did...there is something about python and something about oracle. but beyond that, I don't know).
Last edited by salasi; 05-09-2013 at 12:28 AM.
Reason: stop code tags being directly interpreted (grrr!)
In Ye Aulden Days using a dot was one way to "hide files in plain sight" as for most users it would not be common to have an 'ls' alias that included the "-a" switch (mine is by default aliased to '/bin/ls -al --time-style=long-iso --quoting-style=c' and I export "LS_COLORS=no"). These days there's easier ways to hide files and better ways to spot changes (running a system file integrity checker like Samhain, AIDE, hell even tripwire would be suggested).
How to find out what these files are about? For starters 0) using your distributions package manager to find out what package the file is part of ('dpkg -S /usr/lib/jvm/.java-7-oracle.jinfo'), verifying package contents integrity with say 'debsums -c name-of-package' (though debsums needs to be installed beforehand unfortunately to trigger post-apt-get hash generation), 1) examination of MAC times ('stat /usr/lib/jvm/*') to see if they are similar or not, 2) running 'file' on the file to find out what it contains and 3) visual inspection using a pager, 'strings', readelf, EXIF tools or whatever else simple, non-modifying(!) tool you use.
*Please note "security" isn't about running Chkrootkit, Rootkit Hunter, OSSEC HIDS or any other single tool but hardening the machine right after OS installation, regularly auditing and adjusting access controls and remaining vigilant ever: in short a continuous process based upon a sound foundation.
Also please could you advise how to view the following LOG :-
/var/log/rkhunter.log
and
/var/log/chkrootkit.log
You would view that log in your terminal:-
For example:
When I want to look at my sources.list I open the terminal type in the text editor's name that I use followed by the path and name of the file I would like to view. I use Nano or Gedit- Like this:
Code:
nano /etc/apt/sources.list (press Enter)
There is a variety of text editors and everyone has their own preference.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.