Support LQ: Use code LQ3 and save $3 on Domain Registration  Home Forums HCL Reviews Tutorials Articles Register Search Today's Posts Mark Forums Read  LinuxQuestions.org Weird results from CHKrootkit  User Name Remember Me? Password  Linux - Security This forum is for all security related questions. Questions, tips, system compromises, firewalls, etc. are all included here. Notices  01-29-2008, 11:45 PM #1 jim.thornton Member Registered: May 2007 Posts: 400 Rep: Weird results from CHKrootkit I think I've got some very wierd output from chkrootkit. Code: ROOTDIR is /' Checking amd'... not found Checking basename'... not infected Checking biff'... not found Checking chfn'... not infected Checking chsh'... not infected Checking cron'... not infected Checking crontab'... not infected Checking date'... not infected Checking du'... not infected Checking dirname'... not infected Checking echo'... not infected Checking egrep'... not infected Checking env'... not infected Checking find'... not infected Checking fingerd'... not infected Checking gpm'... not found Checking grep'... not infected Checking hdparm'... not found Checking su'... not infected Checking ifconfig'... not infected Checking inetd'... not tested Checking inetdconf'... not found Checking identd'... not found Checking init'... not infected Checking killall'... not infected Checking ldsopreload'... can't exec ./strings-static, not tested Checking login'... not infected Checking ls'... not infected Checking lsof'... not infected Checking mail'... not infected Checking mingetty'... not infected Checking netstat'... not infected Checking named'... not infected Checking passwd'... not infected Checking pidof'... not infected Checking pop2'... not found Checking pop3'... not found Checking ps'... not infected Checking pstree'... not infected Checking rpcinfo'... not infected Checking rlogind'... not found Checking rshd'... not found Checking slogin'... not infected Checking sendmail'... not infected Checking sshd'... not infected Checking syslogd'... not infected Checking tar'... not infected Checking tcpd'... not infected Checking tcpdump'... not infected Checking top'... not infected Checking telnetd'... not found Checking timed'... not found Checking traceroute'... not infected Checking vdir'... not infected Checking w'... not infected Checking write'... not infected Checking aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for common ssh-scanners default files... nothing found Searching for suspect PHP files... /tmp/pear/cache/Archive_Tar-1.3.2/Archive/Tar.php /tmp/pear/cache/PEAR-1.6.1/OS/Guess.php /tmp/pear/cache/PEAR-1.6.1/System.php /tmp/pear/cache/PEAR-1.6.1/scripts/peclcmd.php /tmp/pear/cache/PEAR-1.6.1/scripts/pearcmd.php /tmp/pear/cache/PEAR-1.6.1/PEAR.php /tmp/pear/cache/PEAR-1.6.1/PEAR/DependencyDB.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/Parser/v1.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/Parser/v2.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/v1.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/v2.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/Generator/v1.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/Generator/v2.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/v2/Validator.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile/v2/rw.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Common.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Common.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Package.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Auth.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Test.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Config.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Install.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Mirror.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Channels.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Pickle.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Build.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Remote.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command/Registry.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Downloader/Package.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Packager.php /tmp/pear/cache/PEAR-1.6.1/PEAR/RunTest.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Frontend/CLI.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Frontend.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer.php /tmp/pear/cache/PEAR-1.6.1/PEAR/ChannelFile/Parser.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Exception.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Common.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Php.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Ext.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Data.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Test.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Doc.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Script.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Installer/Role/Src.php /tmp/pear/cache/PEAR-1.6.1/PEAR/PackageFile.php /tmp/pear/cache/PEAR-1.6.1/PEAR/ErrorStack.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Replace/rw.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Common.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Windowseol.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Windowseol/rw.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Postinstallscript.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Postinstallscript/rw.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Unixeol/rw.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Unixeol.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Task/Replace.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Command.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Config.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Dependency2.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Downloader.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Validator/PECL.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Autoloader.php /tmp/pear/cache/PEAR-1.6.1/PEAR/REST.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Validate.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Remote.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Builder.php /tmp/pear/cache/PEAR-1.6.1/PEAR/XMLParser.php /tmp/pear/cache/PEAR-1.6.1/PEAR/ChannelFile.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Dependency.php /tmp/pear/cache/PEAR-1.6.1/PEAR/Registry.php /tmp/pear/cache/PEAR-1.6.1/PEAR/REST/10.php /tmp/pear/cache/PEAR-1.6.1/PEAR/REST/11.php /tmp/pear/cache/PEAR-1.6.1/PEAR/REST/13.php /tmp/pear/cache/Structures_Graph-1.0.2/tests/all-tests.php /tmp/pear/cache/Structures_Graph-1.0.2/tests/testCase/BasicGraph.php /tmp/pear/cache/Structures_Graph-1.0.2/Structures/Graph/Node.php /tmp/pear/cache/Structures_Graph-1.0.2/Structures/Graph/Manipulator/TopologicalSorter.php /tmp/pear/cache/Structures_Graph-1.0.2/Structures/Graph/Manipulator/AcyclicTest.php Last edited by jim.thornton; 01-29-2008 at 11:49 PM.  01-29-2008, 11:52 PM #2 jim.thornton Member Registered: May 2007 Posts: 400 Original Poster Rep: Here's the second half... I don't know why this gargled text is there: Code: /tmp/pear/cache/Structures_Graph-1.0.2/Structures/Graph.php /tmp/pear/cache/Console_Getopt-1.2.3/Console/Getopt.php  01-29-2008, 11:52 PM #3 jim.thornton Member Registered: May 2007 Posts: 400 Original Poster Rep: Finally, part 3: Code: __expire_KEY 1201646642KEY'/webmail/skins/default/pngbehavior.htcTIR __expire_KEY 1201665651KEY /robots.txtTIMEOUT3600__key /robots.txt__name resource CREATE_TIME 1201662051UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201662051/robots.txtIR __expire_KEY 1201635414KEY$/templates/verve/js/md_fontsizer.jsTIMEOUT3600__key$/templates/verve/js/md_fontsizer.js__name resource CREATE_TIME 1201631814UPDATE_COUNTER1alerted_960903_compressionIR __expire_KEY 1201652170KEY$/templates/verve/js/md_fontsizer.jsTIMEOUT3600__key$/templates/verve/js/md_fontsizer.js__name resource CREATE_TIME 1201648570UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201648570/templates/verve/js/md_fontsizIR __expire_KEY 1201652170KEY$/templates/verve/js/md_fontsizer.jsTIMEOUT3600__key$/templates/verve/js/md_fontsizer.js__name resource CREATE_TIME 1201648570UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201648570/templates/verve/js/md_fontsizer.jsIR __expire_KEY 1201498092KEY/phpMyAdmin/index.phpTIMEOUT3600__key/phpMyAdmin/index.php__name resource CREATE_TIME 1201494492UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201494492/phpMyAdmin/index.phpIR __expire_KEY 1201633327KEY'/webmail/skins/default/googiespell.cssTIMEOUT3600__key'/webmail/skins/default/googiespell.css__name resource CREATE_TIME 1201629727UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201629727/webmail/skins/default/googiespell.cssIR __expire_KEY 1200897186KEY#/webmail/skins/default/splitter.jsTIMEOUT3600__key#/webmail/skins/default/splitter.js__name resource CREATE_TIME 1200893586UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1200893586/webmail/skins/deIR __expire_KEY 1201646656KEY#/webmail/skins/default/splitter.jsTIMEOUT3600__key#/webmail/skins/default/splitter.js__name resource CREATE_TIME 1201643056UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201643056/webmail/skins/default/splitter.jsIR __expire_KEY 1200882887KEY /phpmyadmin/TIMEOUT3600__key /phpmyadmin/__name resource CREATE_TIME 1200879287UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1200879287/phpmyadmin/IR __expire_KEY 1201498093KEY*/phpMyAdmin/themes/original/img/error.icoTIMEOUT3600__key*/phpMyAdmin/themes/original/img/error.ico__name resource CREATE_TIME 1201494493UPDATE_COUNTER1alerted_960903_comprIR __expire_KEY 1201498093IR __expire_KEY 1201633857KEY /includes/jceutils/payments.htmTIMEOUT3600__key /includes/jceutils/payments.htm__name resource CREATE_TIME 1201630257UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201630257/includes/jceutils/payments.htmNIIR __expire_KEY 1201631764KEY /webmail/program/js/common.jsTIMEOUT3600__key /webmail/program/js/common.js__name resource CREATE_TIME 1201628164UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201628164/webmail/program/js/common.jsIR __expire_KEY 1201631725KEY+IR __expire_KEY 1201646642KEY /webmail/program/js/common.jsTIMEOUT3600__key /webmail/program/js/common.js__name resource CREATE_TIME 1201643042UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201643042/webmail/program/js/common.jsIR __expire_KEY 1201673919KEY+/mambots/system/jceutils/jscripts/utils.jsTIMEOUT3600__key+/mambots/system/jceutils/jscripts/utils.js__name resource CREATE_TIME 1201670319UPDATE_COUNTER1alerted_960903_compression1LAST_UPDATE_TIME 1201670319/mambots/system/jceutils/jscripts/utils.jsIR __expire_KEY 1200882360KEY PMA_token |s:32:"79765c0876bbfc6324e5928337c4710e";PMA_Config|O:10:"PMA_Config":11:{s:14:"default_source";s:30:"./libraries/config.default.php";s:8:"settings";a:191:{s:14:"PmaAbsoluteUri";s:29:"http://extra6.com/phpMyAdmin/";s:28:"PmaNoRelation_DisableWarning";b:1;s:15:"blowfish_secret";s:0:"";s:13:"ServerDefault";i:1;s:9:"MaxDbList";i:100;s:12:"MaxTableList";i:250;s:27:"MaxCharactersInDisplayedSQL";i:1000;s:6:"OBGzip";s:4:"auto";s:21:"PersistentConnections";b:0;s:8:"ForceSSL";b:0;s:13:"ExecTimeLimit";i:300;s:11:"MemoryLimit";i:0;s:16:"SkipLockedTables";b:0;s:7:"ShowSQL";b:1;s:21:"AllowUserDropDatabase";b:0;s:7:"Confirm";b:1;s:17:"LoginCookieRecall";b:1;s:19:"LoginCookieValidity";i:1800;s:16:"LoginCookieStore";i:0;s:20:"LoginCookieDeleteAll";b:1;s:11:"UseDbSearch";b:1;s:23:"IgnoreMultiSubmitErrors";b:0;s:18:"VerboseMultiSubmit";b:1;s:20:"AllowArbitraryServer";b:0;s:14:"LeftFrameLight";b:1;s:15:"LeftFrameDBTree";b:1;s:20:"LeftFrameDBSeparator";s:1:"_";s:23:"LeftFrameTableSeparator";s:2:"__";s:19:"LeftFrameTableLevel";s:1:"1";s:11:"ShowTooltip";b:1;s:18:"ShowTooltipAliasDB";b:0;s:18:"ShowTooltipAliasTB";b:0;s:15:"LeftDisplayLogo";b:1;s:12:"LeftLogoLink";s:8:"main.php";s:18:"LeftLogoLinkWindow";s:4:"main";s:18:"LeftDisplayServers";b:0;s:18:"DisplayServersList";b:0;s:20:"DisplayDatabasesList";s:4:"auto";s:9:"ShowStats";b:1;s:11:"ShowPhpInfo";b:0;s:14:"ShowServerInfo";b:1;s:15:"ShowChgPassword";b:0;s:12:"ShowCreateDb";b:1;s:13:"SuggestDBName";b:1;s:8:"ShowBlob";b:0;s:19:"NavigationBarIconic";b:1;s:7:"ShowAll";b:0;s:7:"MaxRows";i:30;s:5:"Order";s:3:"ASC";s:13:"ProtectBinary";s:4:"blob";s:18:"ShowFunctionFields";b:1;s:11:"CharEditing";s:5:"input";s:10:"InsertRows";i:2;s:23:"ForeignKeyDropdownOrder";a:2:{i:0;s:10:"content-id";i:1;s:10:"id-content";}s:18:"ForeignKeyMaxLimit";i:100;s:7:"ZipDump";b:1;s:8:"GZipDump";b:1;s:8:"BZipDump";b:1;s:13:"CompressOnFly";b:1;s:9:"LightTabs";b:0;s:16:"PropertiesIconic";b:1;s:20:"PropertiesNumColumns";i:1;s:16:"DefaultTabServer";s:8:"main.php";s:18:"DefaultTabDatabase";s:16:"db_structure.php";s:15:"DefaultTabTable";s:17:"tbl_structure.php";s:6:"Export";a:77:{s:6:"format";s:3:"sql";s:11:"compression";s:4:"none";s:6:"asfile";b:0;s:7:"charset";s:0:"";s:8:"onserver";b:0;s:18:"onserver_overwrite";b:0;s:22:"remember_file_template";b:1;s:19:"file_template_table";s:9:"__TABLE__";s:22:"file_template_database";s:6:"__DB__";s:20:"file_template_server";s:10:"__SERVER__";s:11:"ods_columns";b:0;s:8:"ods_null";s:4:"NULL";s:13:"odt_structure";b:1;s:8:"odt_data";b:1;s:11:"odt_columns";b:1;s:12:"odt_relation";b:1;s:12:"odt_comments";b:1;s:8:"odt_mime";b:1;s:8:"odt_null";s:4:"NULL";s:17:"htmlexcel_columns";b:0;s:14:"htmlexcel_null";s:4:"NULL";s:18:"htmlword_structure";b:1;s:13:"htmlword_data";b:1;s:16:"htmlword_columns";b:0;s:13:"htmlword_null";s:4:"NULL";s:11:"xls_columns";b:0;s:8:"xls_null";s:4:"NULL";s:11:"csv_columns";b:0;s:8:"csv_null";s:4:"NULL";s:13:"csv_separator";s:1:";";s:12:"csv_enclosed";s:6:""";s:11:"csv_escaped";s:1:"\";s:14:"csv_terminated";s:4:"AUTO";s:13:"excel_columns";b:0;s:10:"excel_null";s:4:"NULL";s:13:"excel_edition";s:3:"win";s:15:"latex_structure";b:1;s:10:"latex_data";b:1;s:13:"latex_columns";b:1;s:14:"latex_relation";b:1;s:14:"latex_comments";b:1;s:10:"latex_mime";b:1;s:10:"latex_null";s:13:"\textit{NULL}";s:13:"latex_caption";b:1;s:23:"latex_structure_caption";s:17:"strLatexStructure";s:33:"latex_structure_continued_caption";s:35:"strLatexStructure strLatexContinued";s:18:"latex_data_caption";s:15:"strLatexContent";s:28:"latex_data_continued_caption";s:33:"strLatexContent strLatexContinued";s:16:"latex_data_label";s:18:"tab:__TABLE__-data";s:21:"latex_structure_label";s:23:"tab:__TABLE__-structure";s:13:"sql_structure";b:1;s:8:"sql_data";b:1;s:17:"sql_compatibility";s:4:"NONE";s:14:"sql_disable_fk";b:0;s:19:"sql_use_transaction";b:0;s:17:"sql_drop_database";b:0;s:14:"sql_drop_table";b:0;s:17:"sql_if_not_exists";b:0;s:22:"sql_procedure_function";b:0;s:18:"sql_auto_increment";b:1;s:14:"sql_backquotes";b:1;s:9:"sql_dates";b:0;s:12:"sql_relation";b:0;s:11:"sql_columns";b:0;s:11:"sql_delayed";b:0;s:10:"sql_ignore";b:0;s:16:"sql_hex_for_blob";b:1;s:8:"sql_type";s:6:"insert";s:12:"sql_extended";b:0;s:18:"sql_max_query_size";i:50000;s:12:"sql_comments";b:0;s:8:"sql_mime";b:0;s:18:"sql_header_comment";s:0:"";s:13:"pdf_structure";b:0;s:8:"pdf_data";b:1;s:16:"pdf_report_title";s:0:"";s:18:"sql_hex_for_binary";b:1;}s:6:"Import";a:17:{s:6:"format";s:3:"sql";s:15:"allow_interrupt";b:1;s:12:"skip_queries";s:1:"0";s:17:"sql_compatibility";s:4:"NONE";s:11:"csv_replace";b:0;s:14:"csv_terminated";s:1:";";s:12:"csv_enclosed";s:1:""";s:11:"csv_escaped";s:1:"\";s:12:"csv_new_line";s:4:"auto";s:11:"csv_columns";s:0:"";s:11:"ldi_replace";b:0;s:14:"ldi_terminated";s:1:";";s:12:"ldi_enclosed";s:1:""";s:11:"ldi_escaped";s:1:"\";s:12:"ldi_new_line";s:4:"auto";s:11:"ldi_columns";s:0:"";s:16:"ldi_local_option";s:4:"auto";}s:15:"MySQLManualBase";s:33:"http://dev.mysql.com/doc/mysql/en";s:15:"MySQLManualType";s:10:"searchable";s:12:"PDFPageSizes";a:5:{i:0;s:2:"A3";i:1;s:2:"A4";i:2;s:2:"A5";i:3;s:6:"letter";i:4;s:5:"legal";}s:18:"PDFDefaultPageSize";s:2:"A4";s:11:"DefaultLang";s:13:"en-iso-8859-1";s:26:"DefaultConnectionCollation";s:15:"utf8_unicode_ci";s:15:"FilterLanguages";s:0:"";s:14:"DefaultCharset";s:10:"iso-8859-1";s:21:"AllowAnywhereRecoding";b:0;s:14:"RecodingEngine";s:4:"auto";s:16:"IconvExtraParams";s:0:"";s:17:"AvailableCharsets";a:30:{i:0;s:10:"iso-8859-1";i:1;s:10:"iso-8859-2";i:2;s:10:"iso-8859-3";i:3;s:10:"iso-8859-4";i:4;s:10:"iso-8859-5";i:5;s:10:"iso-8859-6";i:6;s:10:"iso-8859-7";i:7;s:10:"iso-8859-8";i:8;s:10:"iso-8859-9";i:9;s:11:"iso-8859-10";i:10;s:11:"iso-8859-11";i:11;s:11:"iso-8859-12";i:12;s:11:"iso-8859-13";i:13;s:11:"iso-8859-14";i:14;s:11:"iso-8859-15";i:15;s:12:"windows-1250";i:16;s:12:"windows-1251";i:17;s:12:"windows-1252";i:18;s:12:"windows-1256";i:19;s:12:"windows-1257";i:20;s:6:"koi8-r";i:21;s:4:"big5";i:22;s:6:"gb2312";i:23;s:5:"utf-8";i:24;s:5:"utf-7";i:25;s:14:"x-user-defined";i:26;s:6:"euc-jp";i:27;s:14:"ks_c_5601-1987";i:28;s:7:"tis-620";i:29;s:9:"SHIFT_JIS";}s:17:"LeftPointerEnable";b:1;s:19:"BrowsePointerEnable";b:1;s:18:"BrowseMarkerEnable";b:1;s:12:"TextareaCols";i:40;s:12:"TextareaRows";i:7;s:22:"LongtextDoubleTextarea";b:1;s:18:"TextareaAutoSelect";b:1;s:16:"CharTextareaCols";i:40;s:16:"CharTextareaRows";i:2;s:16:"CtrlArrowsMoving";b:1;s:10:"LimitChars";i:50;s:18:"ModifyDeleteAtLeft";b:1;s:19:"ModifyDeleteAtRight";b:0;s:14:"DefaultDisplay";s:10:"horizontal";s:18:"DefaultPropDisplay";s:10:"horizontal";s:14:"HeaderFlipType";s:3:"css";s:18:"ShowBrowseComments";b:1;s:20:"ShowPropertyComments";b:1;s:11:"RepeatCells";i:100;s:12:"EditInWindow";b:1;s:16:"QueryWindowWidth";i:600;s:17:"QueryWindowHeight";i:400;s:14:"QueryHistoryDB";b:0;s:17:"QueryWindowDefTab";s:3:"sql";s:15:"QueryHistoryMax";i:25;s:10:"BrowseMIME";b:1;s:13:"MaxExactCount";i:20000;s:18:"MaxExactCountViews";i:0;s:11:"WYSIWYG-PDF";b:1;s:12:"NaturalOrder";b:1;s:10:"TitleTable";s:61:"@HTTP_HOST@ / @VSERVER@ / @DATABASE@ / @TABLE@ | @PHPMYADMIN@";s:13:"TitleDatabase";s:51:"@HTTP_HOST@ / @VSERVER@ / @DATABASE@ | @PHPMYADMIN@";s:11:"TitleServer";s:38:"@HTTP_HOST@ / @VSERVER@ | @PHPMYADMIN@";s:12:"TitleDefault";s:26:"@HTTP_HOST@ | @PHPMYADMIN@";s:11:"ErrorIconic";b:1;s:14:"MainPageIconic";b:1;s:14:"ReplaceHelpImg";b:1;s:9:"ThemePath";s:8:"./themes";s:12:"ThemeManager";b:1;s:12:"ThemeDefault";s:8:"original";s:14:"ThemePerServer";b:0;s:17:"DefaultQueryTable";s:24:"SELECT * FROM %t WHERE 1";s:20:"DefaultQueryDatabase";s:0:"";s:8:"SQLQuery";a:5:{s:4:"Edit";b:1;s:7:"Explain";b:1;s:9:"ShowAsPHP";b:1;s:8:"Validate";b:0;s:7:"Refresh";b:1;}s:9:"UploadDir";s:0:"";s:7:"SaveDir";s:0:"";s:7:"TempDir";s:0:"";s:12:"GD2Available";s:4:"auto";s:14:"TrustedProxies";a:0:{}s:3:"SQP";a:4:{s:7:"fmtType";s:4:"html";s:6:"fmtInd";s:1:"1";s:10:"fmtIndUnit";s:2:"em";s:8:"fmtColor";a:21:{s:7:"comment";s:7:"#808000";s:13:"comment_mysql";s:0:"";s:12:"comment_ansi";s:0:"";s:9:"comment_c";s:0:"";s:5:"digit";s:0:"";s:9:"digit_hex";s:4:"teal";s:13:"digit_integer";s:4:"teal";s:11:"digit_float";s:4:"aqua";s:5:"punct";s:7:"fuchsia";s:5:"alpha";s:0:"";s:16:"alpha_columnTy pe";s:7:"#FF9900";s:18:"alpha_columnAttrib";s:7:"#0000FF";s:18:"alpha_reservedWord";s:7:"#990099";s:18:"alpha_functionName";s:7:"#FF0000";s:16:"alpha_identifier";s:5:"black";s:13:"alpha_charset";s:7:"#6495ed";s:14:"alpha_variable";s:7:"#800000";s:5:"quote";s:7:"#008000";s:12:"quote_double";s:0:"";s:12:"quote_single";s:0:"";s:14:"quote_backtick";s:0:"";}}s:12:"SQLValidator";a:3:{s:3:"use";b:0;s:8:"username";s:0:"";s:8:"password";s:0:"";}s:3:"DBG";a:2:{s:6:"enable";b:0;s:7:"profile";a:2:{s:6:"enable";b:0;s:9:"threshold";d:0.5;}}s:11:"ColumnTypes";a:27:{i:0;s:7:"VARCHAR";i:1;s:7:"TINYINT";i:2;s:4:"TEXT";i:3;s:4:"DATE";i:4;s:8:"SMALLINT";i:5;s:9:"MEDIUMINT";i:6;s:3:"INT";i:7;s:6:"BIGINT";i:8;s:5:"FLOAT";i:9;s:6:"DOUBLE";i:10;s:7:"DECIMAL";i:11;s:8:"DATETIME";i:12;s:9:"TIMESTAMP";i:13;s:4:"TIME";i:14;s:4:"YEAR";i:15;s:4:"CHAR";i:16;s:8:"TINYBLOB";i:17;s:8:"TINYTEXT";i:18;s:4:"BLOB";i:19;s:10:"MEDIUMBLOB";i:20;s:10:"MEDIUMTEXT";i:21;s:8:"LONGBLOB";i:22;s:8:"LONGTEXT";i:23;s:4:"ENUM";i:24;s:3:"SET";i:25;s:6:"BINARY";i:26;s:9:"VARBINARY";}s:14:"AttributeTypes";a:4:{i:0;s:0:"";i:1;s:6:"BINARY";i:2;s:8:"UNSIGNED";i:3;s:17:"UNSIGNED ZEROFILL";}s:9:"Functions";a:26:{i:0;s:5:"ASCII";i:1;s:4:"CHAR";i:2;s:7:"SOUNDEX";i:3;s:5:"LCASE";i:4;s:5:"UCASE";i:5;s:3:"NOW";i:6;s:8:"PASSWORD";i:7;s:3:"MD5";i:8;s:4:"SHA1";i:9;s:7:"ENCRYPT";i:10;s:4:"RAND";i:11;s:14:"LAST_INSERT_ID";i:12;s:5:"COUNT";i:13;s:3:"AVG";i:14;s:3:"SUM";i:15;s:7:"CURDATE";i:16;s:7:"CURTIME";i:17;s:9:"FROM_DAYS";i:18;s:13:"FROM_UNIXTIME";i:19;s:10:"PERIOD_ADD";i:20;s:11:"PERIOD_DIFF";i:21;s:7:"TO_DAYS";i:22;s:14:"UNIX_TIMESTAMP";i:23;s:4:"USER";i:24;s:7:"WEEKDAY";i:25;s:6:"CONCAT";}s:19:"RestrictColumnTypes";a:25:{s:7:"VARCHAR";s:9:"FUNC_CHAR";s:7:"TINYINT";s:11:"FUNC_NUMBER";s:4:"TEXT";s:9:"FUNC_CHAR";s:4:"DATE";s:9:"FUNC_DATE";s:8:"SMALLINT";s:11:"FUNC_NUMBER";s:9:"MEDIUMINT";s:11:"FUNC_NUMBER";s:3:"INT";s:11:"FUNC_NUMBER";s:6:"BIGINT";s:11:"FUNC_NUMBER";s:5:"FLOAT";s:11:"FUNC_NUMBER";s:6:"DOUBLE";s:11:"FUNC_NUMBER";s:7:"DECIMAL";s:11:"FUNC_NUMBER";s:8:"DATETIME";s:9:"FUNC_DATE";s:9:"TIMESTAMP";s:9:"FUNC_DATE";s:4:"TIME";s:9:"FUNC_DATE";s:4:"YEAR";s:9:"FUNC_DATE";s:4:"CHAR";s:9:"FUNC_CHAR";s:8:"TINYBLOB";s:9:"FUNC_CHAR";s:8:"TINYTEXT";s:9:"FUNC_CHAR";s:4:"BLOB";s:9:"FUNC_CHAR";s:10:"MEDIUMBLOB";s:9:"FUNC_CHAR";s:10:"MEDIUMTEXT";s:9:"FUNC_CHAR";s:8:"LONGBLOB";s:9:"FUNC_CHAR";s:8:"LONGTEXT";s:9:"FUNC_CHAR";s:4:"ENUM";s:0:"";s:3:"SET";s:0:"";}s:17:"RestrictFunctions";a:3:{s:9:"FUNC_CHAR";a:12:{i:0;s:5:"ASCII";i:1;s:4:"CHAR";i:2;s:7:"SOUNDEX";i:3;s:5:"LCASE";i:4;s:5:"UCASE";i:5;s:8:"PASSWORD";i:6;s:3:"MD5";i:7;s:4:"SHA1";i:8;s:7:"ENCRYPT";i:9;s:14:"LAST_INSERT_ID";i:10;s:4:"USER";i:11;s:6:"CONCAT";}s:9:"FUNC_DATE";a:10:{i:0;s:3:"NOW";i:1;s:7:"CURDATE";i:2;s:7:"CURTIME";i:3;s:9:"FROM_DAYS";i:4;s:13:"FROM_UNIXTIME";i:5;s:10:"PERIOD_ADD";i:6;s:11:"PERIOD_DIFF";i:7;s:7:"TO_DAYS";i:8;s:14:"UNIX_TIMESTAMP";i:9;s:7:"WEEKDAY";}s:11:"FUNC_NUMBER";a:10:{i:0;s:5:"ASCII";i:1;s:4:"CHAR";i:2;s:3:"MD5";i:3;s:4:"SHA1";i:4;s:7:"ENCRYPT";i:5;s:4:"RAND";i:6;s:14:"LAST_INSERT_ID";i:7;s:5:"COUNT";i:8;s:3:"AVG";i:9;s:3:"SUM";}}s:16:"DefaultFunctions";a:4:{s:9:"FUNC_CHAR";s:0:"";s:9:"FUNC_DATE";s:0:"";s:11:"FUNC_NUMBER";s:0:"";s:15:"first_timestamp";s:3:"NOW";}s:12:"NumOperators";a:8:{i:0;s:1:"=";i:1;s:1:">";i:2;s:2:">=";i:3;s:1:"<";i:4;s:2:"<=";i:5;s:2:"!=";i:6;s:4:"LIKE";i:7;s:8:"NOT LIKE";}s:13:"TextOperators";a:7:{i:0;s:4:"LIKE";i:1;s:10:"LIKE %...%";i:2;s:8:"NOT LIKE";i:3;s:1:"=";i:4;s:2:"!=";i:5;s:6:"REGEXP";i:6;s:10:"NOT REGEXP";}s:13:"EnumOperators";a:2:{i:0;s:1:"=";i:1;s:2:"!=";}s:12:"SetOperators";a:2:{i:0;s:2:"IN";i:1;s:6:"NOT IN";}s:13:"NullOperators";a:2:{i:0;s:7:"IS NULL";i:1;s:11:"IS NOT NULL";}s:14:"UnaryOperators";a:2:{s:7:"IS NULL";i:1;s:11:"IS NOT NULL";i:1;}s:8:"fontsize";s:3:"82%";s:29:"PmaAbsoluteUri_DisableWarning";b:1;s:7:"Servers";a:1:{i:1;a:31:{s:4:"host";s:9:"localhost";s:4:"port";s:0:"";s:6:"socket";s:0:"";s:3:"ssl";b:0;s:12:"connect_type";s:3:"tcp";s:9:"extension";s:5:"mysql";s:8:"compress";b:0;s:11:"controluser";s:0:"";s:11:"controlpass";s:0:"";s:9:"auth_type";s:4:"http";s:4:"user";s:4:"root";s:8:"password";s:0:"";s:13:"SignonSession";s:0:"";s:9:"SignonURL";s:0:"";s:9:"LogoutURL";s:0:"";s:10:"nopassword";b:0;s:7:"only_db";s:0:"";s:7:"hide_db";s:0:"";s:7:"verbose";s:0:"";s:5:"pmadb";s:0:"";s:13:"bookmarktable";s:0:"";s:8:"relation";s:0:"";s:10:"table_info";s:0:"";s:12:"table_coords";s:0:"";s:9:"pdf_pages";s:0:"";s:11:"column_info";s:0:"";s:7:"history";s:0:"";s:15:"designer_coords";s:0:"";s:13:"verbose_check";b:1;s:9:"AllowRoot";b:1;s:9:"AllowDeny";a:2:{s:5:"order";s:0:"";s:5:"rules";a:0:{}}}}s:6:"Server";a:31:{s:4:"host";s:9:"localhost";s:4:"port";s:0:"";s:6:"socket";s:0:"";s:3:"ssl";b:0;s:12:"connect_type";s:3:"tcp";s:9:"extension";s:5:"mysql";s:8:"compress";b:0;s:11:"controluser";s:0:"";s:11:"controlpass";s:0:"";s:9:"auth_type";s:4:"http";s:4:"user";s:15:"theverve_joomla";s:8:"password";s:11:"valleyskate";s:13:"SignonSession";s:0:"";s:9:"SignonURL";s:0:"";s:9:"LogoutURL";s:0:"";s:10:"nopassword";b:0;s:7:"only_db";s:0:"";s:7:"hide_db";s:0:"";s:7:"verbose";s:0:"";s:5:"pmadb";s:0:"";s:13:"bookmarktable";s:0:"";s:8:"relation";s:0:"";s:10:"table_info";s:0:"";s:12:"table_coords";s:0:"";s:9:"pdf_pages";s:0:"";s:11:"column_info";s:0:"";s:7:"history";s:0:"";s:15:"designer_coords";s:0:"";s:13:"verbose_check";b:1;s:9:"AllowRoot";b:1;s:9:"AllowDeny";a:2:{s:5:"order";s:0:"";s:5:"rules";a:0:{}}}s:13:"ShowMysqlInfo";b:0;s:13:"ShowMysqlVars";b:0;s:10:"QueryFrame";b:1;s:12:"QueryFrameJS";b:1;s:17:"ShowHttpHostTitle";b:1;s:16:"SetHttpHostTitle";s:0:"";s:9:"docSQLDir";s:0:"";s:12:"FileRevision";s:17:"$Revision: 2.41 $";s:20:"collation_connection";s:15:"utf8_unicode_ci";s:11:"PMA_VERSION";s:6:"2.11.3";s:17:"PMA_THEME_VERSION";i:2;s:20:"PMA_THEME_GENERATION";i:2;s:19:"PMA_PHP_INT_VERSION";i:50205;s:19:"PMA_PHP_STR_VERSION";s:5:"5.2.5";s:14:"PMA_IS_WINDOWS";i:0;s:10:"PMA_IS_IIS";i:0;s:10:"PMA_IS_GD2";i:1;s:10:"PMA_USR_OS";s:3:"Win";s:19:"PMA_USR_BROWSER_VER";s:3:"5.0";s:21:"PMA_USR_BROWSER_AGENT";s:7:"MOZILLA";s:13:"enable_upload";b:1;s:15:"max_upload_size";i:2097152;s:8:"is_https";b:0;s:9:"NaviWidth";i:200;s:9:"NaviColor";s:7:"#000000";s:14:"NaviBackground";s:7:"#D0DCE0";s:16:"NaviPointerColor";s:7:"#000000";s:21:"NaviPointerBackground";s:7:"#9999CC";s:21:"NaviDatabaseNameColor";s:7:"#0000FF";s:9:"MainColor";s:7:"#000000";s:14:"MainBackground";s:7:"#F5F5F5";s:18:"BrowsePointerColor";s:7:"#000000";s:23:"BrowsePointerBackground";s:7:"#CCFFCC";s:17:"BrowseMarkerColor";s:7:"#000000";s:22:"BrowseMarkerBackground";s:7:"#FFCC99";s:10:"FontFamily";s:10:"sans-serif";s:15:"FontFamilyFixed";s:9:"monospace";s:6:"Border";i:0;s:12:"ThBackground";s:7:"#D3DCE3";s:7:"ThColor";s:7:"#000000";s:5:"BgOne";s:7:"#E5E5E5";s:5:"BgTwo";s:7:"#D5D5D5";s:12:"theme-update";s:8:"original";s:8:"Bookmark";a:0:{}}s:6:"source";s:16:"./config.inc.php";s:12:"source_mtime";i:1200794208;s:20:"default_source_mtime";i:1197118043;s:9:"set_mtime";i:1201494488;s:17:"error_config_file";b:0;s:25:"error_config_default_file";b:0;s:13:"error_pma_uri";b:0;s:14:"default_server";a:31:{s:4:"host";s:9:"localhost";s:4:"port";s:0:"";s:6:"socket";s:0:"";s:3:"ssl";b:0;s:12:"connect_type";s:3:"tcp";s:9:"extension";s:5:"mysql";s:8:"compress";b:0;s:11:"controluser";s:0:"";s:11:"controlpass";s:0:"";s:9:"auth_type";s:6:"config";s:4:"user";s:4:"root";s:8:"password";s:0:"";s:13:"SignonSession";s:0:"";s:9:"SignonURL";s:0:"";s:9:"LogoutURL";s:0:"";s:10:"nopassword";b:0;s:7:"only_db";s:0:"";s:7:"hide_db";s:0:"";s:7:"verbose";s:0:"";s:5:"pmadb";s:0:"";s:13:"bookmarktable";s:0:"";s:8:"relation";s:0:"";s:10:"table_info";s:0:"";s:12:"table_coords";s:0:"";s:9:"pdf_pages";s:0:"";s:11:"column_info";s:0:"";s:7:"history";s:0:"";s:15:"designer_coords";s:0:"";s:13:"verbose_check";b:1;s:9:"AllowRoot";b:1;s:9:"AllowDeny";a:2:{s:5:"order";s:0:"";s:5:"rules";a:0:{}}}s:4:"done";b:0;}PMA_Theme_Manager|O:17:"PMA_Theme_Manager":7:{s:12:"_themes_path";s:8:"./themes";s:6:"themes";a:2:{s:15:"darkblue_orange";O:9:"PMA_Theme":7:{s:7:"version";s:3:"2.9";s:4:"name";s:15:"Darkblue/orange";s:2:"id";s:15:"darkblue_orange";s:4:"path";s:24:"./themes/darkblue_orange";s:8:"img_path";s:29:"./themes/darkb lue_orange/img/";s:5:"types";a:3:{i:0;s:4:"left";i:1;s:5:"right";i:2;s:5:"print";}s:10:"mtime_info";i:1197118043;}s:8:"original";O:9:"PMA_Theme":7:{s:7:"version";s:3:"2.9";s:4:"name";s:8:"Original";s:2:"id";s:8:"original";s:4:"path";s:17:"./themes/original";s:8:"img_path";s:22:"./themes/original/img/";s:5:"types";a:3:{i:0;s:4:"left";i:1;s:5:"right";i:2;s:5:"print";}s:10:"mtime_info";i:1197118043;}}s:11:"cookie_name";s:9:"pma_theme";s:10:"per_server";b:0;s:12:"active_theme";s:8:"original";s:5:"theme";O:9:"PMA_Theme":7:{s:7:"version";s:3:"2.9";s:4:"name";s:8:"Original";s:2:"id";s:8:"original";s:4:"path";s:17:"./themes/original";s:8:"img_path";s:22:"./themes/original/img/";s:5:"types";a:3:{i:0;s:4:"left";i:1;s:5:"right";i:2;s:5:"print";}s:10:"mtime_info";i:1197118043;}s:13:"theme_default";s:8:"original";}PMA_Theme|r:645;navi_limit_offset|i:0;table_limit_offset|i:0;^  Searching for anomalies in shell history files... nothing found Checking asp'... not infected Checking bindshell'... not infected Checking lkm'... not tested: can't exec Checking rexedcs'... not found Checking sniffer'... not tested: can't exec ./ifpromisc Checking w55808'... not infected Checking wted'... not tested: can't exec ./chkwtmp Checking scalper'... not infected Checking slapper'... not infected Checking z2'... not tested: can't exec ./chklastlog Checking chkutmp'... not tested: can't exec ./chkutmp Any help as to why this is doing this would be greatly appreciated. 01-30-2008, 07:25 AM #4 unSpawn Moderator Registered: May 2001 Posts: 29,219 Blog Entries: 55 Rep: 0. Not the right PWD. Quote:  Checking ldsopreload'... can't exec ./strings-static, not tested This means you didn't run CRT from the directory where it resides and that is a bad idea since it still can't find the compiled helper binaries on its own. 1. Suspicious files. Quote:  Searching for suspect PHP files... New in CRT-0.48, the code looks like this: Code:  1109 printn "Searching for suspect PHP files... "; fi 1110 files="${find} ${ROOTDIR}tmp${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null" 1111 fileshead="${find} ${ROOTDIR}tmp${ROOTDIR}var/tmp \${findargs} -type f -exec head -1 {} \; | grep php 2> /dev/null"`
This piece of code searches the directorynames "/tmp" and "/var/tmp" for filenames that end in ".php". The first line of each result is then grepped for the string "php" and the result of that is shown.

There are a few problems attached to this:
- it is an inflexible approach: the directorynames are hardcoded in the source, what if you configured another directory?,
- it is crude: only filenames that end in ".php" are found: no variations like say ".php3" or include files or PHP files that just don't have the extension,
- it is not doing anything but signal that a file has the case-sensitive string "php".
- its header says "suspect" but that is only true there should not be any PHP scripts in temporary directories (which shouldn't be the case), but a script is only hostile if the PHP code allows hostile actions.

You'll see false postivies if you run CRT while using /tmp as a temporary directory for unpacking and installing PHP-based applications. Not to promote Rootkit Hunter but that's why I added "suspscan" (which is off by default) to be configurable and only look for terms (updates and additions welcome) that signal hostile intentions.

2. Dunno
I think we're missing some lines before "Searching for anomalies in shell history files... nothing found". Maybe you didn't paste right.
I'd run CRT again in debug mode (cd /wherever/its/installedorcompiled; sh -vx ./chkrootkit --any-args-you-need 2>&1 | tee ./chkrootkit.tee ) and attach that to a post to the crt-users mailing list for Nelson to answer.

 Posting Rules You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is Off HTML code is Off Forum Rules

 Similar Threads Thread Thread Starter Forum Replies Last Post mexbeachbum Linux - Security 3 07-14-2007 01:52 PM rdwinders Linux - Newbie 4 01-22-2007 03:10 PM The_JinJ Programming 3 02-13-2005 02:11 PM nekromancer Linux - Networking 3 02-17-2004 01:36 AM cauchy Linux - General 0 10-14-2001 10:54 AM

All times are GMT -5. The time now is 01:28 AM.

 Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -