Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have decided to run Chkrootkit since I haven't ran it in a couple weeks and that came up, it wasn't there before though so I am a bit worried.
Do any of you have any ideas if this is malware or not?
Are you sure that file was not there?
The reason I ask is I have that exact file on my openSuSE Laptop with both my KDE and GNOME installs.
If you have a wireless card or have installed a wireless NIC then yeah I am pretty sure you should have that file.
Now the question becomes have you updated your system since the last time your ran Chkrootkit and now? The next question is a security minded question... directly after installing your OS did you create a checksum file of your system files to ensure they have not been modified by so sort of malware or virus?
Well I am not sure if it was there before or not. Yeah I have a wireless card. I check for updates on my system everyday. No I didn't create a checksum.
Distribution: openSuSE, Fedora, CentOS, Debian,, and others
Posts: 84
Rep:
Quote:
Originally Posted by Tommyy
Well I am not sure if it was there before or not. Yeah I have a wireless card. I check for updates on my system everyday. No I didn't create a checksum.
Well seeing how you have a wireless card installed then yes that file should be there. Now when you first ran chkrootkit did you modify the configuration files for your system? I cannot recall right off hand as I personally use rkhunter and I know it requires modification or "configuration" for the system it is running on. Now wpa_supplicant if I recall correctly is how your WIFI card can handle wpa encrypted networks correctly, but I could be wrong.
The reason I ask about updating your system is if you configured chkrootkit for your system then updated and the wpa_supplicant file changed in any way then it would be seen as a problem by chkrootkit as the file has changed since it first saw the file.
Most likely you don't have a problem but a great test is to "re-install" and see if that file is installed and is the same as it currently is on your system. Outside of that I am thinking you have nothing to worry about but there are many factors to consider.
Thanks War3zWad|0. That answered a lot of my questions. Also no I didn't configure it for my system and probably should next time before I run it again.
if you are going to re-install can I suggest you have a package of rootkit hunter downloaded and install it at the same time with no net so you can use its features to check for system file changes?
Do any of you have any ideas if this is malware or not?
If you don't run Wireless then there exists a probability of a process disguising itself as a process with a seemingly legitimate name. (That would be easy to find out comparing hashes, time stamps, access rights and ownership information with the file from a remote and trusted repo.) OTOH if you do then the PF_PACKET message (see 'man 7 packet') is an indication of either a network sniffer or, more commonly, an application that requires raw sockets like a DHCP client would.
* The deeper meaning behind the PF_PACKET message is to provide a warning as a sniffer does not necessarily need to have the interface enter promiscuous mode (Google for IFF_PROMISC, MR_PACKET_PROMISC). Example: 'ifconfig eth0 promisc && tcpdump -p -i any 2>&1>/dev/null &'. Chkrootkit, having always relied on using 'ifpromisc', doesn't detect what for instance 'ip' (from the iproute package) can and so I manually patch it in since version 0.41. (Come to think of it the reason why you're seeing the likes of /sbin/ip, skdet and unhide in Rootkit Hunter is that I suggested them back then to Nelson, the main Chkrootkit developer, but he wouldn't hear of external dependencies ;-p Come to think of it, has anyone seen an update of Chkrootkit since 2009?..)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.