I have decided to run Chkrootkit since I haven't ran it in a couple weeks and that came up, it wasn't there before though so I am a bit worried.

Do any of you have any ideas if this is malware or not?

Are you sure that file was not there?

The reason I ask is I have that exact file on my openSuSE Laptop with both my KDE and GNOME installs.

If you have a wireless card or have installed a wireless NIC then yeah I am pretty sure you should have that file.

Now the question becomes have you updated your system since the last time your ran Chkrootkit and now? The next question is a security minded question... directly after installing your OS did you create a checksum file of your system files to ensure they have not been modified by so sort of malware or virus?

1 members found this post helpful.

Well I am not sure if it was there before or not. Yeah I have a wireless card. I check for updates on my system everyday. No I didn't create a checksum.

Well seeing how you have a wireless card installed then yes that file should be there. Now when you first ran chkrootkit did you modify the configuration files for your system? I cannot recall right off hand as I personally use rkhunter and I know it requires modification or "configuration" for the system it is running on. Now wpa_supplicant if I recall correctly is how your WIFI card can handle wpa encrypted networks correctly, but I could be wrong.

The reason I ask about updating your system is if you configured chkrootkit for your system then updated and the wpa_supplicant file changed in any way then it would be seen as a problem by chkrootkit as the file has changed since it first saw the file.

Most likely you don't have a problem but a great test is to "re-install" and see if that file is installed and is the same as it currently is on your system. Outside of that I am thinking you have nothing to worry about but there are many factors to consider.

1 members found this post helpful.

Thanks War3zWad|0. That answered a lot of my questions. Also no I didn't configure it for my system and probably should next time before I run it again.

hi

if you are going to re-install can I suggest you have a package of rootkit hunter downloaded and install it at the same time with no net so you can use its features to check for system file changes?

good luck

http://sourceforge.net/apps/trac/rkh...MPRKH#Contents

If you don't run Wireless then there exists a probability of a process disguising itself as a process with a seemingly legitimate name. (That would be easy to find out comparing hashes, time stamps, access rights and ownership information with the file from a remote and trusted repo.) OTOH if you do then the PF_PACKET message (see 'man 7 packet') is an indication of either a network sniffer or, more commonly, an application that requires raw sockets like a DHCP client would.

* The deeper meaning behind the PF_PACKET message is to provide a warning as a sniffer does not necessarily need to have the interface enter promiscuous mode (Google for IFF_PROMISC, MR_PACKET_PROMISC). Example: 'ifconfig eth0 promisc && tcpdump -p -i any 2>&1>/dev/null &'. Chkrootkit, having always relied on using 'ifpromisc', doesn't detect what for instance 'ip' (from the iproute package) can and so I manually patch it in since version 0.41. (Come to think of it the reason why you're seeing the likes of /sbin/ip, skdet and unhide in Rootkit Hunter is that I suggested them back then to Nelson, the main Chkrootkit developer, but he wouldn't hear of external dependencies ;-p Come to think of it, has anyone seen an update of Chkrootkit since 2009?..)