LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-21-2007, 10:11 PM   #1
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Rep: Reputation: 15
chkrootkit results


I ran chkrootkit as root for the first time this morning.

It saw eclipse files as suspicious: /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.1.R321_v20060803/.options /usr/lib/eclipse/.eclipseextension /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/14/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/7/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/11/1/.cp /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/NKF/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt4/examples/graphicsview/portedasteroids/sprites/.pbm
/usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/14/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/7/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/11/1/.cp

I hadn't yet done anything so I know why the history file was empty:
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

I have no idea about this z2' user root thing
3.Checking `z2'... user root deleted or never logged from lastlog!

All I know about the TTY stuff is that there is always about 6 tty processes listed when I run "pstree" and I was thinking so far that mingetty was a fax program. I never use the computer to fax from:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2114 tty1 /sbin/mingetty tty1
! root 2125 tty2 /sbin/mingetty tty2
! root 2129 tty3 /sbin/mingetty tty3
! root 2132 tty4 /sbin/mingetty tty4
! root 2135 tty5 /sbin/mingetty tty5
! root 2220 tty7 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -no

Any thoughts on how to get a clean bill of health with chkrootkit?
 
Old 01-21-2007, 11:44 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 123Reputation: 123
chkrootkit is not a definite yes-or-no thing, it's just alerting you to things it finds "odd". Assuming you have never logged in as root (i.e., you always use sudo) then I see no problems at all in your report.
 
Old 01-22-2007, 11:58 AM   #3
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Original Poster
Rep: Reputation: 15
Well that makes me feel a little better.
I dreamed I was hacked last night.
 
Old 01-22-2007, 12:37 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,335
Blog Entries: 55

Rep: Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535Reputation: 3535
Quote:
Originally Posted by Matir
Assuming you have never logged in as root (i.e., you always use sudo) then I see no problems at all in your report.
In short: Matir is right when he says that but IMHO it's better to know why and how to check if you think something looks fishy.

Quote:
Originally Posted by Matir
chkrootkit is not a definite yes-or-no thing, it's just alerting you to things it finds "odd".
Short explanation. Filenames that start with a dot are not listed by default and show up if you use 'ls' "-a" switch. Because of that these filenames are (still) considered suspicious. If files are part of a package it is easiest to verify using your distro's package manager. If they are not part of a package you will have to get info with 'stat' to see ownership, access permissions and modification and access times and 'file' to get an idea of the contents. If it appears to be text visual inspection is the easiest way to get a clue, else if it's data try use 'strings'. There's more tools but I won't handle those here. In any case if you're unsure it's best to post in the Linux Security forum.


Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !

If the closing line (you didn't post) says "Nothing deleted" you're OK. Some processes just don't use utmp or won't update utmp until used, like mingetty. If you think a process name is odd you can use 'lsof' to check who owns it, what files it has opened and what its working directory is, etc etc. If it doesn't say "Nothing deleted" then your login records may have been tampered with which should warrant a system audit. If you need a checklist try for instance the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.
 
Old 01-22-2007, 03:10 PM   #5
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Original Poster
Rep: Reputation: 15
unSpawn,
Thanks for that. I will definitely post more questions in the Security forum.
Currently, I always get a command not recognized when I try 'lsof.' It doesn't matter if I run it as a user, su or root. I gather it's not there.
I'll try a locate and if I don't get anything, I'll look for it in the repository.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit EchoWarrior Linux - Newbie 2 04-20-2006 04:45 PM
when I ./chkrootkit it says .... chemichael Fedora 2 08-18-2005 11:48 PM
chkrootkit errors stefaandk Linux - Security 1 06-10-2005 12:24 AM
chkrootkit ? jmanjeff Linux - Security 2 05-31-2005 11:15 PM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 02:21 AM


All times are GMT -5. The time now is 03:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration