I'm getting this logged by OSSEC, I believe it's for ATI driver's and should be normal? but wanted to verify if you all thought this was OK or not.

I do use the latest ATI drivers on this pc that is logging this message.

I believe it's for ATI driver's and should be normal?
Determination can be done by different means. One is to use a file integrity checker like Aide, Samhain or even tripwire, of course in the case of /dev files this won't work. So if your distro's (you didn't fill in that info in your control panel) package manager supports verification then most of the time you can fall back on that to check (provided you have an off-site backup of the database), and since this is a /dev/ file you would probably have to look in the packages (post)install scripts. If it's Udev, then it could be a rule has been set up in your Udev ruledir. These are more or less authoritative means for verification.

Non-authoritative means (call it "circumstancial evidence" due to the dynamics of a Live system and probability for manipulation) would be to look for instance at "lsmod", "stat", "fuser" (fuser -v /dev/* | grep ^/|sort|uniq) and "lsof" (lsof -n +D /dev|awk '{print $NF}'|sort|uniq) output for clues wrt rights, usage, MAC times and such. The worst and most flawed way would be to assume that because the name contains the string "ati" and "shm" this is a device linked to ATI. Names don't mean a thing.

Hi Unspawn,

Yeah I've been rooted Thank you for the reply. Back to damage control, bye for now. Thanks again.

Not so fast. What indications do you have you're rooted?

Hi Unspawn,

I believe that I was rooted because rkhunter was reporting the rootkit ports being open, and I verified that they were using netstat -l. However the rootkit did not create the "/usr/src/.puta" folder, but maybe this is a modified rootkit, or maybe the rootkit didnt get fully installed. I don't run any server's of any kind (well, samba, nfs and cups but only for the lan pc's), and there were no files or daemons listed next to the port's output of 47107 or 41707 (i forget off the top of my head the torn port) in netstat.

Initially I started a thread here on LQ a while back regaring rc.statd running as root on my pc...located here

http://www.linuxquestions.org/questi...d.php?t=489929

Since opening that thread up here a few weeks ago, I install started using OSSEC and really only had the one message, and that is why I started this thread.

But then all of the sudden a few days ago OSSEC starting logging/emailing to me that some of my daemons were having their md5sum values change over and over, cups, samba, to be particular. Becuase the OSSEC sends out the email alerts I got them right away, and well here I am.

From what I read the TOrn rootkit uses that rc.statd daemon, again, I'm trying to figure out what other slacker's do for this daemon, do they chown it to a different user or not.

I'm using slackware 11.0 on the pc that got compromised, and I did gpg verify that cd and md5 checksum it.

Maybe? when I reloaded the pc with slack 11 from 10.2 I used some packages that I had downloaded from linuxpackages, or made myself, that sat locally on the pc, and they got "reworked" somehow and I put them in on my fresh install of slackware? Not sure, but I'm going to download all new sources and make new pack's when this is all said and done.

So for now I DoD wiped the entire pc, but it takes soo long to wipe

So for now I DoD wiped the entire pc, but it takes soo long to wipe
I was going to write about the necessity for second opinions, but that's mooted by you wiping the drive.
Shame. Did you make a backup? Anyway. Zeroing out should be enough most of the times IMHO.

Hi unspawn.

I made a backup of my various .config files and put them into a tar.gz. Mostly my samba, cups, hosts.allow/deny, and inetd.conf, fstab. I made a backup of the home folder. But I did not make an "image" forensic copy of the entire "/" partition.

My partition was "xfs" and I do not know of a way to make a "norton ghost" or "powerquest drive image" like image of an xfs partition that I can read at a later time. Norton and drive image let me back up the xfs partition, but I cannot read files in them.

I own norton and drive image, so I think this time around when I reload the pc. I'm going to make the "/" in an ext3 format, that way I can use norton or powerquest at a later date to open up the image and view/read files from the logs for forensic reasons like this so I can learn how something got in, etc. Tho, I'm still new to linux, so not very much stuff in log files makes sense to me.

I used a "script" file to wipe the boot sector of the drives, then I used nortons boot disk to DoD wipe the drive.

I'm going to make the "/" in an ext3 format, that way I can use norton or powerquest at a later date to open up the image
Norton and PI are dependant on Windows. I'd use them for say FS formats FOSS tools can't understand due to proprietary hassles. I'd say make it any FS you want that *FOSS* tools can read. If you don't want to or can't use "dd" then there's a true cornucopia of tools on Freshmeat and Sourceforge for bit by bit copying disks, making backups etc, etc.


not very much stuff in log files makes sense to me.
So there is a clear necessity for a second opinion. Beats me why you didn't ask for it. I mean, it's what we're here for.