Earlier today (~5 PM), I noticed my computer running very slowly. I opened top, saw "basename" running using 99% CPU. I looked at the tree view in ksysguard and saw that crond was running it. I took a look at my crontab, nothing out of the ordinary. Took a look at the contents of /etc/cron.*/* (this is on Slackware, daily, hourly, and weekly auto scripts are put in there and run with run-parts, which is how this was being run), and saw this:
Nothing out of the ordinary at ALL, but basename was running (not in there) at a weird time (5 PM shouldn't have anything running via cron)... at this point I didn't think much of it, and killed the process and went on with what I was doing.
Later, (~8:30 PM) while I was working on my log analyser (in pygtk, tails logs, hilights IPs, click IPs to get info on them such as reverse DNS), I noticed a lot of packets being dropped by my egress firewall rules going OUT of my computer to IPs that were standard DSL, cable, etc by looking at the reverse DNSs. I started getting suspicious then. I ran rkhunter, and got this:
Determining OS... Warning: this operating system is not fully supported!
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!
I immediately locked down my computer at that point (unplugged my ethernet cord, turned on "unplugged" firewall mode so that even if the cord magically plugged itself back in nothing was going to go in or out). I then looked at the processes running, (I know, I have a proper rootkit installed and this doesn't matter), took a look at netstat, etc. I found out that "wget" had a socket open. Looked at "ps aux | grep wget" and saw that wget was running with identical switches to my Slackware updating bash script I wrote, and downloading a file that wget downloads on my updating script. I took a look at the rules again, and noticed that they were on ports tor uses (9030), but I have blocked (I have 9001-9009 or so allowed), and so those logs I've ruled out as false positives, too.
chkrootkit and my own hash databasing script brought up nothing as well.
Right now, I'm only on medium-low alert, and just want explainations for three things, and then I'll be certain that this was a false positive.
1) Why was basename running at a weird time under the crond, run-parts processes? Does updatedb call it? I'm almost certain rmmod and logrotate don't.
2) Why was basename using 99% CPU?
3) Why is rkhunter crippled, and how do I fix it? I haven't run rkhunter in awhile (1-2 weeks, my status cron script is broken right now so it doesn't automatically email me all the status stuff like it used to), so this might be a problem with some updates on Slackware recently.
I tried re-downloading rkhunter, and it's still not working. md5sum is working fine, and rkhunter normally runs fine...
Any ideas for these?
EDIT: I was also thinking of letting my egress filtering go to normal filtering (allow all outgoing) for ~1 week or so and see if my IP shows up on dshield or not.