LKM Trojan and "suspicious activity" in /tmp/firstbootX.log, says Rootkit Hunter
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 425
Rep:
LKM Trojan and "suspicious activity" in /tmp/firstbootX.log, says Rootkit Hunter
FC10, 2.6.27-5 kernel. I noticed some unusual activity on my hard drive and ran chkrootkit (0.48), which said I might have the lkm trojan. It also said that the firstbootX.log in /tmp showed signs of suspicious activity, giving it a score of 274 (?) where standard cut-off is 200. I am now running some more tests on the disk, since I know that chkrootkit can give false positives, but the note about the /tmp/firstbootX.log raises my hackles.
Anyway, before I reread CERT guides, wipe and reformat the hard disc and start all over, I want to check the firstbootX.log and also understand what happened and how. I don't know enough about the matter to see what the suspicious activity is, so I ask you: What in the following would give cause for alarm?
Code:
Begin
----------------------------------------------------------
X.Org X Server 1.5.3
Release Date: 5 November 2008
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-92.1.10.el5 i686
Current Operating System: Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
Build Date: 16 November 2008 08:29:02PM
Build ID: xorg-x11-server 1.5.3-5.fc10
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/tmp/firstbootX.log", Time: Tue Mar 24 19:01:13 2009
(EE) Unable to locate/open config file
(II) Loader magic: 0x81f4400
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 4.1
X.Org XInput driver : 2.1
X.Org Server Extension : 1.1
X.Org Font Renderer : 0.6
(II) Loader running on linux
(++) using VT number 6
(--) PCI:*(0@1:0:0) Silicon Integrated Systems [SiS] 65x/M650/740 PCI/AGP VGA Display Adapter rev 0, Mem @ 0xd0000000/0, 0xdfee0000/0, I/O @ 0x0000bc00/0
(==) Matched sis for the autoconfigured driver
New driver is "sis"
(==) Using default built-in configuration (30 lines)
(==) --- Start of built-in configuration ---
Section "Device"
Identifier "Builtin Default sis Device 0"
Driver "sis"
EndSection
<SIMILAR MATERIAL EDITED FOR LENGTH>
Section "ServerLayout"
Identifier "Builtin Default Layout"
Screen "Builtin Default sis Screen 0"
Screen "Builtin Default fbdev Screen 0"
Screen "Builtin Default vesa Screen 0"
EndSection
(==) --- End of built-in configuration ---
(==) ServerLayout "Builtin Default Layout"
(**) |-->Screen "Builtin Default sis Screen 0" (0)
(**) | |-->Monitor "<default monitor>"
(**) | |-->Device "Builtin Default sis Device 0"
(==) No monitor specified for screen "Builtin Default sis Screen 0".
Using a default monitor configuration.
(**) |-->Screen "Builtin Default fbdev Screen 0" (1)
(**) | |-->Monitor "<default monitor>"
(**) | |-->Device "Builtin Default fbdev Device 0"
(==) No monitor specified for screen "Builtin Default fbdev Screen 0".
Using a default monitor configuration.
(**) |-->Screen "Builtin Default vesa Screen 0" (2)
(**) | |-->Monitor "<default monitor>"
(**) | |-->Device "Builtin Default vesa Device 0"
(==) No monitor specified for screen "Builtin Default vesa Screen 0".
Using a default monitor configuration.
(==) Automatically adding devices
(==) Automatically enabling devices
(==) No FontPath specified. Using compiled-in default.
(==) FontPath set to:
catalogue:/etc/X11/fontpath.d,
built-ins
(==) ModulePath set to "/usr/lib/xorg/modules"
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
If no devices become available, reconfigure HAL or disable AllowEmptyInput.
(II) Open ACPI successful (/var/run/acpid.socket)
(II) System resource ranges:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[B]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[B]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[B]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[B]
[4] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[B]
[5] -1 0 0x00000000 - 0x00000000 (0x1) IX[B]
(II) LoadModule: "extmod"
(II) Loading /usr/lib/xorg/modules/extensions//libextmod.so
(II) Module extmod: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 1.1
(II) Loading extension SELinux
(II) Loading extension SHAPE
(II) Loading extension MIT-SUNDRY-NONSTANDARD
(II) Loading extension BIG-REQUESTS
(II) Loading extension SYNC
(II) Loading extension MIT-SCREEN-SAVER
(II) Loading extension XC-MISC
(II) Loading extension XFree86-VidModeExtension
(II) Loading extension XFree86-Misc
(II) Loading extension XFree86-DGA
(II) Loading extension DPMS
(II) Loading extension TOG-CUP
(II) Loading extension Extended-Visual-Information
(II) Loading extension XVideo
(II) Loading extension XVideo-MotionCompensation
(II) Loading extension X-Resource
(II) LoadModule: "dbe"
(II) Loading /usr/lib/xorg/modules/extensions//libdbe.so
(II) Module dbe: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 1.1
(II) Loading extension DOUBLE-BUFFER
(II) LoadModule: "glx"
(II) Loading /usr/lib/xorg/modules/extensions//libglx.so
(II) Module glx: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.0.0
ABI class: X.Org Server Extension, version 1.1
(==) AIGLX enabled
(==) Exporting typical set of GLX visuals
(II) Loading extension GLX
(II) LoadModule: "freetype"
(II) Loading /usr/lib/xorg/modules/fonts//libfreetype.so
(II) Module freetype: vendor="X.Org Foundation & the After X-TT Project"
compiled for 1.5.3, module version = 2.1.0
Module class: X.Org Font Renderer
ABI class: X.Org Font Renderer, version 0.6
(II) Loading font FreeType
(II) LoadModule: "dri"
(II) Loading /usr/lib/xorg/modules/extensions//libdri.so
(II) Module dri: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.0.0
ABI class: X.Org Server Extension, version 1.1
(II) Loading extension XFree86-DRI
(II) LoadModule: "sis"
(II) Loading /usr/lib/xorg/modules/drivers//sis_drv.so
(II) Module sis: vendor="X.Org Foundation"
compiled for 1.4.99.901, module version = 0.10.0
Module class: X.Org Video Driver
ABI class: X.Org Video Driver, version 4.0
(II) LoadModule: "fbdev"
(II) Loading /usr/lib/xorg/modules/drivers//fbdev_drv.so
(II) Module fbdev: vendor="X.Org Foundation"
compiled for 1.4.99.2, module version = 0.3.1
ABI class: X.Org Video Driver, version 4.0
(II) LoadModule: "vesa"
(II) Loading /usr/lib/xorg/modules/drivers//vesa_drv.so
(II) Module vesa: vendor="X.Org Foundation"
compiled for 1.4.99.905, module version = 1.3.0
Module class: X.Org Video Driver
ABI class: X.Org Video Driver, version 4.1
(II) SIS: driver for SiS chipsets: SIS5597/5598, SIS530/620,
SIS6326/AGP/DVD, SIS300/305, SIS630/730, SIS540, SIS315, SIS315H,
SIS315PRO/E, SIS550, SIS650/M650/651/740, SIS330(Xabre),
SIS660/[M]661[F|M]X/[M]670/[M]741[GX]/[M]760[GX]/[M]761[GX]/[M]770[GX],
SIS340
(II) SIS: driver for XGI chipsets: Volari Z7 (XG20),
Volari V3XT/V5/V8/Duo (XG40)
(II) FBDEV: driver for framebuffer: fbdev
(II) VESA: driver for VESA chipsets: vesa
(II) Primary Device is: PCI 01@00:00:0
(WW) Falling back to old probe method for sis
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:0:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:1:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:1) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:5) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:7) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:3:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:3:1) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:3:3) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:4:0) found
(--) Assigning device section with no busID to primary device
(--) Chipset SIS650/M650/651/740 found
(II) resource ranges after xf86ClaimFixedResources() call:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[B]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[B]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[B]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[B]
[4] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[B]
[5] -1 0 0x00000000 - 0x00000000 (0x1) IX[B]
(WW) Falling back to old probe method for fbdev
(II) Loading sub module "fbdevhw"
(II) LoadModule: "fbdevhw"
(II) Loading /usr/lib/xorg/modules/linux//libfbdevhw.so
(II) Module fbdevhw: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 0.0.2
ABI class: X.Org Video Driver, version 4.1
(EE) open /dev/fb0: No such file or directory
(WW) Falling back to old probe method for vesa
(II) resource ranges after probing:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[B]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[B]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[B]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[B]
[4] 0 0 0x000a0000 - 0x000affff (0x10000) MS[B]
[5] 0 0 0x000b0000 - 0x000b7fff (0x8000) MS[B]
[6] 0 0 0x000b8000 - 0x000bffff (0x8000) MS[B]
[7] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[B]
[8] -1 0 0x00000000 - 0x00000000 (0x1) IX[B]
[9] 0 0 0x000003b0 - 0x000003bb (0xc) IS[B]
[10] 0 0 0x000003c0 - 0x000003df (0x20) IS[B]
(II) Setting vga for screen 0.
(II) SIS(0): SiS driver (2005/09/20-1, compiled for X.org 1.4.99.901)
(II) SIS(0): Copyright (C) 2001-2005 Thomas Winischhofer <thomas@winischhofer.net> and others
(II) SIS(0): *** See http://www.winischhofer.at/linuxsisvga.shtml
(II) SIS(0): *** for documentation and updates.
(--) SIS(0): sisfb not found
(--) SIS(0): Relocated I/O registers at 0xBC00
(II) Loading sub module "ramdac"
(II) LoadModule: "ramdac"
(II) Module "ramdac" already built-in
(II) SIS(0): Creating default Display subsection in Screen section
"Builtin Default sis Screen 0" for depth/fbbpp 24/32
(==) SIS(0): Depth 24, (==) framebuffer bpp 32
(==) SIS(0): RGB weight 888
(==) SIS(0): Default visual is TrueColor
(WW) SIS(0): Could not find/read video BIOS
(==) SIS(0): Using XAA acceleration architecture
(==) SIS(0): Using HW cursor
(==) SIS(0): Color HW cursor is enabled
(II) SIS(0): Using VRAM command queue, size 512k
(==) SIS(0): Hotkey display switching is enabled
(II) SIS(0): WARNING: Using the Hotkey might freeze your machine, regardless
(II) SIS(0): whether enabled or disabled. This is no driver bug.
(==) SIS(0): SiSCtrl utility interface is disabled
(II) SIS(0): For information on SiSCtrl, see
http://www.winischhofer.at/linuxsispart1.shtml#sisctrl
(==) SIS(0): DRI disabled
(II) SIS(0): Checking OS for SSE support is not supported in this version of X.org
(II) SIS(0): If your OS supports SSE, set the option "UseSSE" to "on".
(--) SIS(0): DIMM0 is DDR SDRAM
(--) SIS(0): DIMM1 is DDR SDRAM
(--) SIS(0): DIMM2 is not installed
(--) SIS(0): DIMM3 is not installed
(--) SIS(0): DRAM type: DDR SDRAM
(--) SIS(0): Memory clock: 267.268 MHz
(--) SIS(0): DRAM bus width: 64 bit
(--) SIS(0): Linear framebuffer at 0xD0000000
(--) SIS(0): MMIO registers at 0xDFEE0000 (size 64K)
(--) SIS(0): VideoRAM: 32768 KB
(II) SIS(0): Using 32192K of framebuffer memory at offset 0K
(--) SIS(0): SiS650 revision ID 50 (650 A2 CA)
(--) SIS(0): Hardware supports one video overlay
(==) SIS(0): Using gamma correction (1.0, 1.0, 1.0)
(II) SIS(0): Gamma correction is enabled
(II) SIS(0): Separate Xv gamma correction is disabled
(--) SIS(0): Using Xv overlay by default on CRT1
(--) SIS(0): Memory bandwidth at 32 bpp is 534.536 MHz
(II) Loading sub module "ddc"
(II) LoadModule: "ddc"
(II) Module "ddc" already built-in
(--) SIS(0): CRT1 DDC supported
(--) SIS(0): CRT1 DDC level: 2
(--) SIS(0): CRT1 DDC monitor info: *******************************************
< MONITOR INFOTMATION EDITED FOR LENGTH>
(==) SIS(0): Min pixel clock is 10 MHz
(--) SIS(0): Max pixel clock is 340 MHz
(II) SIS(0): Replaced default mode list with built-in modes
(II) SIS(0): Using fake widescreen modes for CRT1 VGA devices
(II) SIS(0): Use option "ForceCRT1VGAAspect" to overrule
(II) SIS(0): "Unknown reason" in the following list means that the mode
(**) SIS(0): Display dimensions: (330, 240) mm
(**) SIS(0): DPI set to (98, 101)
(II) Loading sub module "fb"
(II) LoadModule: "fb"
(II) Loading /usr/lib/xorg/modules//libfb.so
(II) Module fb: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.0.0
ABI class: X.Org ANSI C Emulation, version 0.4
(II) Loading sub module "xaa"
(II) LoadModule: "xaa"
(II) Loading /usr/lib/xorg/modules//libxaa.so
(II) Module xaa: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.2.0
ABI class: X.Org Video Driver, version 4.1
(II) SIS(0): 2D acceleration enabled
(II) UnloadModule: "fbdev"
(II) Unloading /usr/lib/xorg/modules/drivers//fbdev_drv.so
(II) UnloadModule: "fbdevhw"
(II) Unloading /usr/lib/xorg/modules/linux//libfbdevhw.so
(II) UnloadModule: "vesa"
(II) Unloading /usr/lib/xorg/modules/drivers//vesa_drv.so
(--) Depth 24 pixmap format is 32 bpp
(II) do I need RAC? No, I don't.
(II) resource ranges after preInit:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[B]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[B]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[B]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[B]
[4] 0 0 0x000a0000 - 0x000affff (0x10000) MS[B](OprU)
[5] 0 0 0x000b0000 - 0x000b7fff (0x8000) MS[B](OprU)
[6] 0 0 0x000b8000 - 0x000bffff (0x8000) MS[B](OprU)
[7] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[B]
[8] -1 0 0x00000000 - 0x00000000 (0x1) IX[B]
[9] 0 0 0x000003b0 - 0x000003bb (0xc) IS[B](OprU)
[10] 0 0 0x000003c0 - 0x000003df (0x20) IS[B](OprU)
(II) Loading sub module "vbe"
(II) LoadModule: "vbe"
(II) Loading /usr/lib/xorg/modules//libvbe.so
(II) Module vbe: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.1.0
ABI class: X.Org Video Driver, version 4.1
(II) Loading sub module "int10"
(II) LoadModule: "int10"
(II) Loading /usr/lib/xorg/modules//libint10.so
(II) Module int10: vendor="X.Org Foundation"
compiled for 1.5.3, module version = 1.0.0
ABI class: X.Org Video Driver, version 4.1
(II) SIS(0): initializing int10
(II) SIS(0): Primary V_BIOS segment is: 0xc000
(II) SIS(0): VESA BIOS detected
(II) SIS(0): VESA VBE Version 3.0
(II) SIS(0): VESA VBE Total Mem: 32768 kB
(II) SIS(0): VESA VBE OEM: SiS
(II) SIS(0): VESA VBE OEM Software Rev: 1.0
(II) SIS(0): VESA VBE OEM Vendor: Silicon Integrated Systems Corp.
(II) SIS(0): VESA VBE OEM Product: 6325
(II) SIS(0): VESA VBE OEM Product Rev: 1.05.00
(II) SIS(0): Setting custom mode 1280x960 on CRT1
(II) SIS(0): Setting custom mode 1280x960 on CRT2
(II) SIS(0): RENDER acceleration enabled
(II) SIS(0): Framebuffer from (0,0) to (1279,6436)
(II) SIS(0): Using XFree86 Acceleration Architecture (XAA)
Screen to screen bit blits
Solid filled rectangles
8x8 mono pattern filled rectangles
8x8 color pattern filled rectangles
Solid Lines
Dashed Lines
Setting up tile and stipple cache:
32 128x128 slots
32 256x256 slots
16 512x512 slots
32 8x8 color pattern slots
(--) SIS(0): CPU frequency 2390.29Mhz
(II) SIS(0): Benchmarking system RAM to video RAM memory transfer methods:
(--) SIS(0): Checked libc memcpy()... 430.3 MiB/s
(--) SIS(0): Checked built-in-1 memcpy()... 433.1 MiB/s
(--) SIS(0): Checked built-in-2 memcpy()... 68.8 MiB/s
(--) SIS(0): Checked MMX memcpy()... 437.1 MiB/s
(--) SIS(0): Checked MMX2 memcpy()... 532.6 MiB/s
(--) SIS(0): Using MMX2 method for aligned data transfers to video RAM
(--) SIS(0): Using MMX2 method for unaligned data transfers to video RAM
(==) SIS(0): Backing store disabled
(==) SIS(0): Silken mouse enabled
(II) SIS(0): DPMS enabled
(II) SIS(0): Using SiS300/315/330/340 series HW Xv by default on CRT1
(II) SIS(0): Initialized SISCTRL extension version 0.1
(II) SIS(0): Registered screen 0 with SISCTRL extension version 0.1
(==) RandR enabled
(II) Initializing built-in extension MIT-SHM
(II) Initializing built-in extension XInputExtension
(II) Initializing built-in extension XTEST
(II) Initializing built-in extension XKEYBOARD
(II) Initializing built-in extension XINERAMA
(II) Initializing built-in extension XFIXES
(II) Initializing built-in extension RENDER
(II) Initializing built-in extension RANDR
(II) Initializing built-in extension COMPOSITE
(II) Initializing built-in extension DAMAGE
(II) Initializing built-in extension XEVIE
(II) AIGLX: Screen 0 is not DRI capable
(II) AIGLX: Loaded and initialized /usr/lib/dri/swrast_dri.so
(II) GLX: Initialized DRISWRAST GL provider for screen 0
(II) config/hal: Adding input device AT Translated Set 2 keyboard
(II) LoadModule: "evdev"
(II) Loading /usr/lib/xorg/modules/input//evdev_drv.so
(II) Module evdev: vendor="X.Org Foundation"
compiled for 1.5.2, module version = 2.0.7
Module class: X.Org XInput Driver
ABI class: X.Org XInput driver, version 2.1
(**) AT Translated Set 2 keyboard: always reports core events
(**) AT Translated Set 2 keyboard: Device: "/dev/input/event4"
(II) AT Translated Set 2 keyboard: Found keys
(II) AT Translated Set 2 keyboard: Configuring as keyboard
(II) XINPUT: Adding extended input device "AT Translated Set 2 keyboard" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) AT Translated Set 2 keyboard: xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) AT Translated Set 2 keyboard: xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) AT Translated Set 2 keyboard: xkb_layout: "us"
(II) config/hal: Adding input device Power Button (CM)
(**) Power Button (CM): always reports core events
(**) Power Button (CM): Device: "/dev/input/event1"
(II) Power Button (CM): Found keys
(II) Power Button (CM): Configuring as keyboard
(II) XINPUT: Adding extended input device "Power Button (CM)" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Power Button (CM): xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) Power Button (CM): xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) Power Button (CM): xkb_layout: "us"
(II) config/hal: Adding input device Power Button (FF)
(**) Power Button (FF): always reports core events
(**) Power Button (FF): Device: "/dev/input/event0"
(II) Power Button (FF): Found keys
(II) Power Button (FF): Configuring as keyboard
(II) XINPUT: Adding extended input device "Power Button (FF)" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Power Button (FF): xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) Power Button (FF): xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) Power Button (FF): xkb_layout: "us"
(II) config/hal: Adding input device Sleep Button (CM)
(**) Sleep Button (CM): always reports core events
(**) Sleep Button (CM): Device: "/dev/input/event2"
(II) Sleep Button (CM): Found keys
(II) Sleep Button (CM): Configuring as keyboard
(II) XINPUT: Adding extended input device "Sleep Button (CM)" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Sleep Button (CM): xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) Sleep Button (CM): xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) Sleep Button (CM): xkb_layout: "us"
(II) config/hal: Adding input device HID 0a5c:4502
(**) HID 0a5c:4502: always reports core events
(**) HID 0a5c:4502: Device: "/dev/input/event6"
(II) HID 0a5c:4502: Found keys
(II) HID 0a5c:4502: Configuring as keyboard
(II) XINPUT: Adding extended input device "HID 0a5c:4502" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) HID 0a5c:4502: xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) HID 0a5c:4502: xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) HID 0a5c:4502: xkb_layout: "us"
(II) config/hal: Adding input device ImPS/2 Generic Wheel Mouse
(**) ImPS/2 Generic Wheel Mouse: always reports core events
(**) ImPS/2 Generic Wheel Mouse: Device: "/dev/input/event5"
(II) ImPS/2 Generic Wheel Mouse: Found x and y relative axes
(II) ImPS/2 Generic Wheel Mouse: Found mouse buttons
(II) ImPS/2 Generic Wheel Mouse: Configuring as mouse
(II) XINPUT: Adding extended input device "ImPS/2 Generic Wheel Mouse" (type: MOUSE)
(II) config/hal: Adding input device Macintosh mouse button emulation
(**) Macintosh mouse button emulation: always reports core events
(**) Macintosh mouse button emulation: Device: "/dev/input/event3"
(II) Macintosh mouse button emulation: Found x and y relative axes
(II) Macintosh mouse button emulation: Found mouse buttons
(II) Macintosh mouse button emulation: Configuring as mouse
(II) XINPUT: Adding extended input device "Macintosh mouse button emulation" (type: MOUSE)
(II) config/hal: Adding input device HID 0a5c:4503
(**) HID 0a5c:4503: always reports core events
(**) HID 0a5c:4503: Device: "/dev/input/event7"
(II) HID 0a5c:4503: Found x and y relative axes
(II) HID 0a5c:4503: Found mouse buttons
(II) HID 0a5c:4503: Configuring as mouse
(II) XINPUT: Adding extended input device "HID 0a5c:4503" (type: MOUSE)
(II) AT Translated Set 2 keyboard: Close
(II) UnloadModule: "evdev"
(II) Power Button (CM): Close
(II) UnloadModule: "evdev"
(II) Power Button (FF): Close
(II) UnloadModule: "evdev"
(II) Sleep Button (CM): Close
(II) UnloadModule: "evdev"
(II) HID 0a5c:4502: Close
(II) UnloadModule: "evdev"
(II) ImPS/2 Generic Wheel Mouse: Close
(II) UnloadModule: "evdev"
(II) Macintosh mouse button emulation: Close
(II) UnloadModule: "evdev"
(II) HID 0a5c:4503: Close
(II) UnloadModule: "evdev"
(II) SIS(0): Restoring by setting old mode 0x03
(WW) SIS(0): xf86UnMapVidMem: cannot find region for [0xb7ddd000,0x10000]
(WW) SIS(0): xf86UnMapVidMem: cannot find region for [0xb5ddd000,0x2000000]
Last edited by unSpawn; 04-05-2009 at 11:23 AM.
Reason: //moderator.note: logs between BB code tags for easier reading.
It's just plain "F", no longer "FC" just like it is "Rootkit Hunter" and not "chkrootkit" you've been running. Like the RKH code:
Code:
suspscan() {
#
# Purpose: scan directory for files with suspicious contents
# suspscan hogs CPU and I/O. It should NOT BE ENABLED BY DEFAULT!
# Args: directoryname(s) from rkhunter.conf
and config:
Code:
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
say, the "suspscan" part of RKH should not be enabled unless you know what you're doing. After all it is just a kludge. Your file is a logfile. It is not read, only written to. It does not contain commands or code to execute. This is a false positive. If you 'stat' the file you should see it is owned by root user and group and has MAC times approximating your systems first bootup time.
BTW: you didn't post no LKM warning log output. Maybe you should.
BTW[1]: I've edited your thread title to reflect the tool in question.
BTW[2]: I've also edited your post. Putting large amounts of text in BB code text enhances readbility.
Last edited by unSpawn; 04-05-2009 at 11:25 AM.
Reason: clarity+
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 425
Original Poster
Rep:
Quote:
Originally Posted by unSpawn
It's just plain "F", no longer "FC" just like it is "Rootkit Hunter" and not "chkrootkit" you've been running. Like the RKH code:
say, the "suspscan" part of RKH should not be enabled unless you know what you're doing. After all it is just a kludge. Your file is a logfile. It is not read, only written to. It does not contain commands or code to execute. This is a false positive. If you 'stat' the file you should see it is owned by root user and group and has MAC times approximating your systems first bootup time.
BTW: you didn't post no LKM warning log output. Maybe you should.
BTW[1]: I've edited your thread title to reflect the tool in question.
BTW[2]: I've also edited your post. Putting large amounts of text in BB code text enhances readbility.
--------------------
Thanks for the info and title and substantive edits.
I know that logfiles are passive, so I know that the log itself was not dangerous, but I wanted to know what in it made the hunter suspicious that something had gone on. I'm running more tests now, as I said, (2 hidden processes affecting readdir was the warning log output, but I'm not at that computer now so I can't quote it verbatim) but I didn't want to reinstall or do anything without figuring out was went wrong (if anything). No sense in reinstalling a vulnerability.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
