LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-05-2009, 10:17 AM   #1
moxieman99
Member
 
Registered: Feb 2004
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 413

Rep: Reputation: 82
LKM Trojan and "suspicious activity" in /tmp/firstbootX.log, says Rootkit Hunter


FC10, 2.6.27-5 kernel. I noticed some unusual activity on my hard drive and ran chkrootkit (0.48), which said I might have the lkm trojan. It also said that the firstbootX.log in /tmp showed signs of suspicious activity, giving it a score of 274 (?) where standard cut-off is 200. I am now running some more tests on the disk, since I know that chkrootkit can give false positives, but the note about the /tmp/firstbootX.log raises my hackles.

Anyway, before I reread CERT guides, wipe and reformat the hard disc and start all over, I want to check the firstbootX.log and also understand what happened and how. I don't know enough about the matter to see what the suspicious activity is, so I ask you: What in the following would give cause for alarm?
Code:
Begin
----------------------------------------------------------
X.Org X Server 1.5.3
Release Date: 5 November 2008
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.18-92.1.10.el5 i686 
Current Operating System: Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
Build Date: 16 November 2008  08:29:02PM
Build ID: xorg-x11-server 1.5.3-5.fc10 
	Before reporting problems, check http://wiki.x.org
	to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/tmp/firstbootX.log", Time: Tue Mar 24 19:01:13 2009
(EE) Unable to locate/open config file
(II) Loader magic: 0x81f4400
(II) Module ABI versions:
	X.Org ANSI C Emulation: 0.4
	X.Org Video Driver: 4.1
	X.Org XInput driver : 2.1
	X.Org Server Extension : 1.1
	X.Org Font Renderer : 0.6
(II) Loader running on linux
(++) using VT number 6

(--) PCI:*(0@1:0:0) Silicon Integrated Systems [SiS] 65x/M650/740 PCI/AGP VGA Display Adapter rev 0, Mem @ 0xd0000000/0, 0xdfee0000/0, I/O @ 0x0000bc00/0
(==) Matched sis for the autoconfigured driver
New driver is "sis"
(==) Using default built-in configuration (30 lines)
(==) --- Start of built-in configuration ---
	Section "Device"
		Identifier	"Builtin Default sis Device 0"
		Driver	"sis"
	EndSection
	

          <SIMILAR MATERIAL EDITED FOR LENGTH>

       Section "ServerLayout"
		Identifier	"Builtin Default Layout"
		Screen	"Builtin Default sis Screen 0"
		Screen	"Builtin Default fbdev Screen 0"
		Screen	"Builtin Default vesa Screen 0"
	EndSection
(==) --- End of built-in configuration ---
(==) ServerLayout "Builtin Default Layout"
(**) |-->Screen "Builtin Default sis Screen 0" (0)
(**) |   |-->Monitor "<default monitor>"
(**) |   |-->Device "Builtin Default sis Device 0"
(==) No monitor specified for screen "Builtin Default sis Screen 0".
	Using a default monitor configuration.
(**) |-->Screen "Builtin Default fbdev Screen 0" (1)
(**) |   |-->Monitor "<default monitor>"
(**) |   |-->Device "Builtin Default fbdev Device 0"
(==) No monitor specified for screen "Builtin Default fbdev Screen 0".
	Using a default monitor configuration.
(**) |-->Screen "Builtin Default vesa Screen 0" (2)
(**) |   |-->Monitor "<default monitor>"
(**) |   |-->Device "Builtin Default vesa Device 0"
(==) No monitor specified for screen "Builtin Default vesa Screen 0".
	Using a default monitor configuration.
(==) Automatically adding devices
(==) Automatically enabling devices
(==) No FontPath specified.  Using compiled-in default.
(==) FontPath set to:
	catalogue:/etc/X11/fontpath.d,
	built-ins
(==) ModulePath set to "/usr/lib/xorg/modules"
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
	If no devices become available, reconfigure HAL or disable AllowEmptyInput.
(II) Open ACPI successful (/var/run/acpid.socket)
(II) System resource ranges:
	[0] -1	0	0xffffffff - 0xffffffff (0x1) MX[B]
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[5] -1	0	0x00000000 - 0x00000000 (0x1) IX[B]
(II) LoadModule: "extmod"

(II) Loading /usr/lib/xorg/modules/extensions//libextmod.so
(II) Module extmod: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.0.0
	Module class: X.Org Server Extension
	ABI class: X.Org Server Extension, version 1.1
(II) Loading extension SELinux
(II) Loading extension SHAPE
(II) Loading extension MIT-SUNDRY-NONSTANDARD
(II) Loading extension BIG-REQUESTS
(II) Loading extension SYNC
(II) Loading extension MIT-SCREEN-SAVER
(II) Loading extension XC-MISC
(II) Loading extension XFree86-VidModeExtension
(II) Loading extension XFree86-Misc
(II) Loading extension XFree86-DGA
(II) Loading extension DPMS
(II) Loading extension TOG-CUP
(II) Loading extension Extended-Visual-Information
(II) Loading extension XVideo
(II) Loading extension XVideo-MotionCompensation
(II) Loading extension X-Resource
(II) LoadModule: "dbe"

(II) Loading /usr/lib/xorg/modules/extensions//libdbe.so
(II) Module dbe: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.0.0
	Module class: X.Org Server Extension
	ABI class: X.Org Server Extension, version 1.1
(II) Loading extension DOUBLE-BUFFER
(II) LoadModule: "glx"

(II) Loading /usr/lib/xorg/modules/extensions//libglx.so
(II) Module glx: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.0.0
	ABI class: X.Org Server Extension, version 1.1
(==) AIGLX enabled
(==) Exporting typical set of GLX visuals
(II) Loading extension GLX
(II) LoadModule: "freetype"

(II) Loading /usr/lib/xorg/modules/fonts//libfreetype.so
(II) Module freetype: vendor="X.Org Foundation & the After X-TT Project"
	compiled for 1.5.3, module version = 2.1.0
	Module class: X.Org Font Renderer
	ABI class: X.Org Font Renderer, version 0.6
(II) Loading font FreeType
(II) LoadModule: "dri"

(II) Loading /usr/lib/xorg/modules/extensions//libdri.so
(II) Module dri: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.0.0
	ABI class: X.Org Server Extension, version 1.1
(II) Loading extension XFree86-DRI
(II) LoadModule: "sis"

(II) Loading /usr/lib/xorg/modules/drivers//sis_drv.so
(II) Module sis: vendor="X.Org Foundation"
	compiled for 1.4.99.901, module version = 0.10.0
	Module class: X.Org Video Driver
	ABI class: X.Org Video Driver, version 4.0
(II) LoadModule: "fbdev"

(II) Loading /usr/lib/xorg/modules/drivers//fbdev_drv.so
(II) Module fbdev: vendor="X.Org Foundation"
	compiled for 1.4.99.2, module version = 0.3.1
	ABI class: X.Org Video Driver, version 4.0
(II) LoadModule: "vesa"

(II) Loading /usr/lib/xorg/modules/drivers//vesa_drv.so
(II) Module vesa: vendor="X.Org Foundation"
	compiled for 1.4.99.905, module version = 1.3.0
	Module class: X.Org Video Driver
	ABI class: X.Org Video Driver, version 4.1
(II) SIS: driver for SiS chipsets: SIS5597/5598, SIS530/620,
	SIS6326/AGP/DVD, SIS300/305, SIS630/730, SIS540, SIS315, SIS315H,
	SIS315PRO/E, SIS550, SIS650/M650/651/740, SIS330(Xabre),
	SIS660/[M]661[F|M]X/[M]670/[M]741[GX]/[M]760[GX]/[M]761[GX]/[M]770[GX],
	SIS340
(II) SIS: driver for XGI chipsets: Volari Z7 (XG20),
	Volari V3XT/V5/V8/Duo (XG40)
(II) FBDEV: driver for framebuffer: fbdev
(II) VESA: driver for VESA chipsets: vesa
(II) Primary Device is: PCI 01@00:00:0
(WW) Falling back to old probe method for sis
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:0:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:1:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:1) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:5) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:2:7) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:3:0) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:3:1) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:3:3) found
(WW) SIS: No matching Device section for instance (BusID PCI:0@0:4:0) found
(--) Assigning device section with no busID to primary device
(--) Chipset SIS650/M650/651/740 found
(II) resource ranges after xf86ClaimFixedResources() call:
	[0] -1	0	0xffffffff - 0xffffffff (0x1) MX[B]
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[5] -1	0	0x00000000 - 0x00000000 (0x1) IX[B]
(WW) Falling back to old probe method for fbdev
(II) Loading sub module "fbdevhw"
(II) LoadModule: "fbdevhw"

(II) Loading /usr/lib/xorg/modules/linux//libfbdevhw.so
(II) Module fbdevhw: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 0.0.2
	ABI class: X.Org Video Driver, version 4.1
(EE) open /dev/fb0: No such file or directory
(WW) Falling back to old probe method for vesa
(II) resource ranges after probing:
	[0] -1	0	0xffffffff - 0xffffffff (0x1) MX[B]
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] 0	0	0x000a0000 - 0x000affff (0x10000) MS[B]
	[5] 0	0	0x000b0000 - 0x000b7fff (0x8000) MS[B]
	[6] 0	0	0x000b8000 - 0x000bffff (0x8000) MS[B]
	[7] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[8] -1	0	0x00000000 - 0x00000000 (0x1) IX[B]
	[9] 0	0	0x000003b0 - 0x000003bb (0xc) IS[B]
	[10] 0	0	0x000003c0 - 0x000003df (0x20) IS[B]
(II) Setting vga for screen 0.
(II) SIS(0): SiS driver (2005/09/20-1, compiled for X.org 1.4.99.901)
(II) SIS(0): Copyright (C) 2001-2005 Thomas Winischhofer <thomas@winischhofer.net> and others
(II) SIS(0): *** See http://www.winischhofer.at/linuxsisvga.shtml
(II) SIS(0): *** for documentation and updates.
(--) SIS(0): sisfb not found
(--) SIS(0): Relocated I/O registers at 0xBC00
(II) Loading sub module "ramdac"
(II) LoadModule: "ramdac"
(II) Module "ramdac" already built-in
(II) SIS(0): Creating default Display subsection in Screen section
	"Builtin Default sis Screen 0" for depth/fbbpp 24/32
(==) SIS(0): Depth 24, (==) framebuffer bpp 32
(==) SIS(0): RGB weight 888
(==) SIS(0): Default visual is TrueColor
(WW) SIS(0): Could not find/read video BIOS
(==) SIS(0): Using XAA acceleration architecture
(==) SIS(0): Using HW cursor
(==) SIS(0): Color HW cursor is enabled
(II) SIS(0): Using VRAM command queue, size 512k
(==) SIS(0): Hotkey display switching is enabled
(II) SIS(0): WARNING: Using the Hotkey might freeze your machine, regardless
(II) SIS(0):          whether enabled or disabled. This is no driver bug.
(==) SIS(0): SiSCtrl utility interface is disabled
(II) SIS(0): For information on SiSCtrl, see
		http://www.winischhofer.at/linuxsispart1.shtml#sisctrl
(==) SIS(0): DRI disabled
(II) SIS(0): Checking OS for SSE support is not supported in this version of X.org
(II) SIS(0): If your OS supports SSE, set the option "UseSSE" to "on".
(--) SIS(0): DIMM0 is DDR SDRAM
(--) SIS(0): DIMM1 is DDR SDRAM
(--) SIS(0): DIMM2 is not installed
(--) SIS(0): DIMM3 is not installed
(--) SIS(0): DRAM type: DDR SDRAM
(--) SIS(0): Memory clock: 267.268 MHz
(--) SIS(0): DRAM bus width: 64 bit
(--) SIS(0): Linear framebuffer at 0xD0000000
(--) SIS(0): MMIO registers at 0xDFEE0000 (size 64K)
(--) SIS(0): VideoRAM: 32768 KB
(II) SIS(0): Using 32192K of framebuffer memory at offset 0K
(--) SIS(0): SiS650 revision ID 50 (650 A2 CA)
(--) SIS(0): Hardware supports one video overlay
(==) SIS(0): Using gamma correction (1.0, 1.0, 1.0)
(II) SIS(0): Gamma correction is enabled
(II) SIS(0): Separate Xv gamma correction is disabled
(--) SIS(0): Using Xv overlay by default on CRT1
(--) SIS(0): Memory bandwidth at 32 bpp is 534.536 MHz
(II) Loading sub module "ddc"
(II) LoadModule: "ddc"
(II) Module "ddc" already built-in
(--) SIS(0): CRT1 DDC supported
(--) SIS(0): CRT1 DDC level: 2 
(--) SIS(0): CRT1 DDC monitor info: *******************************************
< MONITOR INFOTMATION EDITED FOR LENGTH>

(==) SIS(0): Min pixel clock is 10 MHz
(--) SIS(0): Max pixel clock is 340 MHz
(II) SIS(0): Replaced default mode list with built-in modes
(II) SIS(0): Using fake widescreen modes for CRT1 VGA devices
(II) SIS(0): 	Use option "ForceCRT1VGAAspect" to overrule
(II) SIS(0): "Unknown reason" in the following list means that the mode
(**) SIS(0): Display dimensions: (330, 240) mm
(**) SIS(0): DPI set to (98, 101)
(II) Loading sub module "fb"
(II) LoadModule: "fb"

(II) Loading /usr/lib/xorg/modules//libfb.so
(II) Module fb: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.0.0
	ABI class: X.Org ANSI C Emulation, version 0.4
(II) Loading sub module "xaa"
(II) LoadModule: "xaa"

(II) Loading /usr/lib/xorg/modules//libxaa.so
(II) Module xaa: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.2.0
	ABI class: X.Org Video Driver, version 4.1
(II) SIS(0): 2D acceleration enabled
(II) UnloadModule: "fbdev"
(II) Unloading /usr/lib/xorg/modules/drivers//fbdev_drv.so
(II) UnloadModule: "fbdevhw"
(II) Unloading /usr/lib/xorg/modules/linux//libfbdevhw.so
(II) UnloadModule: "vesa"
(II) Unloading /usr/lib/xorg/modules/drivers//vesa_drv.so
(--) Depth 24 pixmap format is 32 bpp
(II) do I need RAC?  No, I don't.
(II) resource ranges after preInit:
	[0] -1	0	0xffffffff - 0xffffffff (0x1) MX[B]
	[1] -1	0	0x000f0000 - 0x000fffff (0x10000) MX[B]
	[2] -1	0	0x000c0000 - 0x000effff (0x30000) MX[B]
	[3] -1	0	0x00000000 - 0x0009ffff (0xa0000) MX[B]
	[4] 0	0	0x000a0000 - 0x000affff (0x10000) MS[B](OprU)
	[5] 0	0	0x000b0000 - 0x000b7fff (0x8000) MS[B](OprU)
	[6] 0	0	0x000b8000 - 0x000bffff (0x8000) MS[B](OprU)
	[7] -1	0	0x0000ffff - 0x0000ffff (0x1) IX[B]
	[8] -1	0	0x00000000 - 0x00000000 (0x1) IX[B]
	[9] 0	0	0x000003b0 - 0x000003bb (0xc) IS[B](OprU)
	[10] 0	0	0x000003c0 - 0x000003df (0x20) IS[B](OprU)
(II) Loading sub module "vbe"
(II) LoadModule: "vbe"

(II) Loading /usr/lib/xorg/modules//libvbe.so
(II) Module vbe: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.1.0
	ABI class: X.Org Video Driver, version 4.1
(II) Loading sub module "int10"
(II) LoadModule: "int10"

(II) Loading /usr/lib/xorg/modules//libint10.so
(II) Module int10: vendor="X.Org Foundation"
	compiled for 1.5.3, module version = 1.0.0
	ABI class: X.Org Video Driver, version 4.1
(II) SIS(0): initializing int10
(II) SIS(0): Primary V_BIOS segment is: 0xc000
(II) SIS(0): VESA BIOS detected
(II) SIS(0): VESA VBE Version 3.0
(II) SIS(0): VESA VBE Total Mem: 32768 kB
(II) SIS(0): VESA VBE OEM: SiS
(II) SIS(0): VESA VBE OEM Software Rev: 1.0
(II) SIS(0): VESA VBE OEM Vendor: Silicon Integrated Systems Corp.
(II) SIS(0): VESA VBE OEM Product: 6325
(II) SIS(0): VESA VBE OEM Product Rev: 1.05.00
(II) SIS(0): Setting custom mode 1280x960 on CRT1
(II) SIS(0): Setting custom mode 1280x960 on CRT2
(II) SIS(0): RENDER acceleration enabled
(II) SIS(0): Framebuffer from (0,0) to (1279,6436)
(II) SIS(0): Using XFree86 Acceleration Architecture (XAA)
	Screen to screen bit blits
	Solid filled rectangles
	8x8 mono pattern filled rectangles
	8x8 color pattern filled rectangles
	Solid Lines
	Dashed Lines
	Setting up tile and stipple cache:
		32 128x128 slots
		32 256x256 slots
		16 512x512 slots
		32 8x8 color pattern slots
(--) SIS(0): CPU frequency 2390.29Mhz
(II) SIS(0): Benchmarking system RAM to video RAM memory transfer methods:
(--) SIS(0): 	Checked libc memcpy()... 	430.3 MiB/s
(--) SIS(0): 	Checked built-in-1 memcpy()... 	433.1 MiB/s
(--) SIS(0): 	Checked built-in-2 memcpy()... 	68.8 MiB/s
(--) SIS(0): 	Checked MMX memcpy()... 	437.1 MiB/s
(--) SIS(0): 	Checked MMX2 memcpy()... 	532.6 MiB/s
(--) SIS(0): Using MMX2 method for aligned data transfers to video RAM
(--) SIS(0): Using MMX2 method for unaligned data transfers to video RAM
(==) SIS(0): Backing store disabled
(==) SIS(0): Silken mouse enabled
(II) SIS(0): DPMS enabled
(II) SIS(0): Using SiS300/315/330/340 series HW Xv by default on CRT1
(II) SIS(0): Initialized SISCTRL extension version 0.1
(II) SIS(0): Registered screen 0 with SISCTRL extension version 0.1
(==) RandR enabled
(II) Initializing built-in extension MIT-SHM
(II) Initializing built-in extension XInputExtension
(II) Initializing built-in extension XTEST
(II) Initializing built-in extension XKEYBOARD
(II) Initializing built-in extension XINERAMA
(II) Initializing built-in extension XFIXES
(II) Initializing built-in extension RENDER
(II) Initializing built-in extension RANDR
(II) Initializing built-in extension COMPOSITE
(II) Initializing built-in extension DAMAGE
(II) Initializing built-in extension XEVIE
(II) AIGLX: Screen 0 is not DRI capable
(II) AIGLX: Loaded and initialized /usr/lib/dri/swrast_dri.so
(II) GLX: Initialized DRISWRAST GL provider for screen 0
(II) config/hal: Adding input device AT Translated Set 2 keyboard
(II) LoadModule: "evdev"

(II) Loading /usr/lib/xorg/modules/input//evdev_drv.so
(II) Module evdev: vendor="X.Org Foundation"
	compiled for 1.5.2, module version = 2.0.7
	Module class: X.Org XInput Driver
	ABI class: X.Org XInput driver, version 2.1
(**) AT Translated Set 2 keyboard: always reports core events
(**) AT Translated Set 2 keyboard: Device: "/dev/input/event4"
(II) AT Translated Set 2 keyboard: Found keys
(II) AT Translated Set 2 keyboard: Configuring as keyboard
(II) XINPUT: Adding extended input device "AT Translated Set 2 keyboard" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) AT Translated Set 2 keyboard: xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) AT Translated Set 2 keyboard: xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) AT Translated Set 2 keyboard: xkb_layout: "us"
(II) config/hal: Adding input device Power Button (CM)
(**) Power Button (CM): always reports core events
(**) Power Button (CM): Device: "/dev/input/event1"
(II) Power Button (CM): Found keys
(II) Power Button (CM): Configuring as keyboard
(II) XINPUT: Adding extended input device "Power Button (CM)" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Power Button (CM): xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) Power Button (CM): xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) Power Button (CM): xkb_layout: "us"
(II) config/hal: Adding input device Power Button (FF)
(**) Power Button (FF): always reports core events
(**) Power Button (FF): Device: "/dev/input/event0"
(II) Power Button (FF): Found keys
(II) Power Button (FF): Configuring as keyboard
(II) XINPUT: Adding extended input device "Power Button (FF)" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Power Button (FF): xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) Power Button (FF): xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) Power Button (FF): xkb_layout: "us"
(II) config/hal: Adding input device Sleep Button (CM)
(**) Sleep Button (CM): always reports core events
(**) Sleep Button (CM): Device: "/dev/input/event2"
(II) Sleep Button (CM): Found keys
(II) Sleep Button (CM): Configuring as keyboard
(II) XINPUT: Adding extended input device "Sleep Button (CM)" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Sleep Button (CM): xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) Sleep Button (CM): xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) Sleep Button (CM): xkb_layout: "us"
(II) config/hal: Adding input device HID 0a5c:4502
(**) HID 0a5c:4502: always reports core events
(**) HID 0a5c:4502: Device: "/dev/input/event6"
(II) HID 0a5c:4502: Found keys
(II) HID 0a5c:4502: Configuring as keyboard
(II) XINPUT: Adding extended input device "HID 0a5c:4502" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) HID 0a5c:4502: xkb_rules: "evdev"
(**) Option "xkb_model" "pc105+inet"
(**) HID 0a5c:4502: xkb_model: "pc105+inet"
(**) Option "xkb_layout" "us"
(**) HID 0a5c:4502: xkb_layout: "us"
(II) config/hal: Adding input device ImPS/2 Generic Wheel Mouse
(**) ImPS/2 Generic Wheel Mouse: always reports core events
(**) ImPS/2 Generic Wheel Mouse: Device: "/dev/input/event5"
(II) ImPS/2 Generic Wheel Mouse: Found x and y relative axes
(II) ImPS/2 Generic Wheel Mouse: Found mouse buttons
(II) ImPS/2 Generic Wheel Mouse: Configuring as mouse
(II) XINPUT: Adding extended input device "ImPS/2 Generic Wheel Mouse" (type: MOUSE)
(II) config/hal: Adding input device Macintosh mouse button emulation
(**) Macintosh mouse button emulation: always reports core events
(**) Macintosh mouse button emulation: Device: "/dev/input/event3"
(II) Macintosh mouse button emulation: Found x and y relative axes
(II) Macintosh mouse button emulation: Found mouse buttons
(II) Macintosh mouse button emulation: Configuring as mouse
(II) XINPUT: Adding extended input device "Macintosh mouse button emulation" (type: MOUSE)
(II) config/hal: Adding input device HID 0a5c:4503
(**) HID 0a5c:4503: always reports core events
(**) HID 0a5c:4503: Device: "/dev/input/event7"
(II) HID 0a5c:4503: Found x and y relative axes
(II) HID 0a5c:4503: Found mouse buttons
(II) HID 0a5c:4503: Configuring as mouse
(II) XINPUT: Adding extended input device "HID 0a5c:4503" (type: MOUSE)
(II) AT Translated Set 2 keyboard: Close
(II) UnloadModule: "evdev"
(II) Power Button (CM): Close
(II) UnloadModule: "evdev"
(II) Power Button (FF): Close
(II) UnloadModule: "evdev"
(II) Sleep Button (CM): Close
(II) UnloadModule: "evdev"
(II) HID 0a5c:4502: Close
(II) UnloadModule: "evdev"
(II) ImPS/2 Generic Wheel Mouse: Close
(II) UnloadModule: "evdev"
(II) Macintosh mouse button emulation: Close
(II) UnloadModule: "evdev"
(II) HID 0a5c:4503: Close
(II) UnloadModule: "evdev"
(II) SIS(0): Restoring by setting old mode 0x03
(WW) SIS(0): xf86UnMapVidMem: cannot find region for [0xb7ddd000,0x10000]
(WW) SIS(0): xf86UnMapVidMem: cannot find region for [0xb5ddd000,0x2000000]

Last edited by unSpawn; 04-05-2009 at 11:23 AM. Reason: //moderator.note: logs between BB code tags for easier reading.
 
Old 04-05-2009, 11:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,257
Blog Entries: 54

Rep: Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841Reputation: 2841
It's just plain "F", no longer "FC" just like it is "Rootkit Hunter" and not "chkrootkit" you've been running. Like the RKH code:

Code:
suspscan() {

        #
        # Purpose: scan directory for files with suspicious contents
        # suspscan hogs CPU and I/O. It should NOT BE ENABLED BY DEFAULT!
        # Args: directoryname(s) from rkhunter.conf
and config:

Code:
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
say, the "suspscan" part of RKH should not be enabled unless you know what you're doing. After all it is just a kludge. Your file is a logfile. It is not read, only written to. It does not contain commands or code to execute. This is a false positive. If you 'stat' the file you should see it is owned by root user and group and has MAC times approximating your systems first bootup time.

BTW: you didn't post no LKM warning log output. Maybe you should.
BTW[1]: I've edited your thread title to reflect the tool in question.
BTW[2]: I've also edited your post. Putting large amounts of text in BB code text enhances readbility.

Last edited by unSpawn; 04-05-2009 at 11:25 AM. Reason: clarity+
 
Old 04-05-2009, 11:49 AM   #3
moxieman99
Member
 
Registered: Feb 2004
Distribution: Dabble, but latest used are Fedora 13 and Ubuntu 10.4.1
Posts: 413

Original Poster
Rep: Reputation: 82
Quote:
Originally Posted by unSpawn View Post
It's just plain "F", no longer "FC" just like it is "Rootkit Hunter" and not "chkrootkit" you've been running. Like the RKH code:



say, the "suspscan" part of RKH should not be enabled unless you know what you're doing. After all it is just a kludge. Your file is a logfile. It is not read, only written to. It does not contain commands or code to execute. This is a false positive. If you 'stat' the file you should see it is owned by root user and group and has MAC times approximating your systems first bootup time.

BTW: you didn't post no LKM warning log output. Maybe you should.
BTW[1]: I've edited your thread title to reflect the tool in question.
BTW[2]: I've also edited your post. Putting large amounts of text in BB code text enhances readbility.
--------------------
Thanks for the info and title and substantive edits.

I know that logfiles are passive, so I know that the log itself was not dangerous, but I wanted to know what in it made the hunter suspicious that something had gone on. I'm running more tests now, as I said, (2 hidden processes affecting readdir was the warning log output, but I'm not at that computer now so I can't quote it verbatim) but I didn't want to reinstall or do anything without figuring out was went wrong (if anything). No sense in reinstalling a vulnerability.

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit hunter fakie_flip Linux - Software 1 10-20-2007 02:41 PM
Rootkit Hunter: looking for C++ developers unSpawn Linux - Security 0 07-26-2006 08:03 AM
DISCUSSION: The Rootkit Hunter jeremy LinuxAnswers Discussion 0 10-10-2005 07:36 PM
suspicious log activity hoedad Linux - Newbie 3 07-26-2004 07:33 AM
LKM rootkit help GodSendDeath Programming 1 05-01-2004 11:49 AM


All times are GMT -5. The time now is 04:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration