LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-20-2009, 03:45 AM   #1
zoran119
Member
 
Registered: Dec 2007
Posts: 215

Rep: Reputation: 18
Chkrootkit and Rootkit Hunter warnings?


talking about security... i just installed chkrootkit and rkhunter and these are the warnings i got. i need some help in interpreting them. can you comment or give me some docs to help me interpret them?

thank you

rkhunter
Code:
[20:20:03] Warning: The command '/bin/groups' has been replaced by a script: /bin/groups: Bourne shell sc
ript text executable

[20:20:10] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell 
script text executable

[20:20:15] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne 
shell script text executable


[20:20:18] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Bou
rne-Again shell script text executable

[20:21:18]   Checking for enabled inetd services             [ Warning ]
[20:21:19] Warning: Found enabled inetd service: time
[20:21:19] Warning: Found enabled inetd service: time
[20:21:19] Warning: Found enabled inetd service: comsat
[20:21:19] Warning: Found enabled inetd service: auth


[20:21:36] Warning: Unable to check for passwd file differences: no copy of the passwd file exists

[20:21:36] Warning: Unable to check for group file differences: no copy of the group file exists.
1. i have had a look at the scripts (groups, ldd) and i cannot tell if they are the genuine ones. all i know is that they have the copyright comment at the start. how do i tell if these are ok?
2. should these services be disabled?
3. should i have copies of passwd and group?

chkrootkit
Code:
Warning: crontab for nobody found, possible Lupper.Worm... 

/usr/lib/php/.lock /usr/lib/php/.depdb /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.filemap /usr/lib/php/.depdblock /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/oracle/.bash_history /usr/lib/oracle/.oraenv /usr/lib/oracle/.xsession /usr/lib/oracle/.screenrc /usr/lib/oracle/.bash_profile /usr/lib/flock/.autoreg /usr/lib/jre1.6.0_01/.systemPrefs /usr/lib/jre1.6.0_01/.systemPrefs/.systemRootModFile /usr/lib/jre1.6.0_01/.systemPrefs/.system.lock /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/Bundle/NetSNMP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/OBEXFTP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/SGMLS/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/Git/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux-thread-multi/auto/Image/Magick/.packlist /usr/lib/perl5/5.8.8/i486-linux/auto/Pidgin/.packlist /usr/lib/perl5/5.8.8/i486-linux/auto/Purple/.packlist /usr/lib/perl5/5.8.8/i486-linux-thread-multi/.packlist /usr/lib/perl5/5.8.8/i486-linux-thread-multi/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.8/i486-linux-thread-multi/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.8/i486-linux-thread-multi/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.8/i486-linux-thread-multi/auto/Irssi/.packlist /usr/lib/firefox-3.0.5/.autoreg
/usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/jre1.6.0_01/.systemPrefs
eth0: PF_PACKET(/sbin/dhcpcd)
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3130 tty7   /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-09GCrV
1. i don't think that slackware comes with any crontab entries so the first warning is ok. is that right?
2. what do those long lines tell me?
3. it seems that the root is running x... should it work this way?
 
Old 01-20-2009, 06:42 AM   #2
Slacker Steve
Member
 
Registered: Nov 2008
Posts: 85

Rep: Reputation: 16
You should probably start a new thread for this

Last edited by unSpawn; 01-20-2009 at 01:41 PM. Reason: Please don't quote whole posts if you don't address contents.
 
Old 01-20-2009, 01:40 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Moderator.note: pruned from thread with OP http://www.linuxquestions.org/questi...19#post3414319
 
Old 01-20-2009, 01:52 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by zoran119 View Post
(..)replaced by a script: /bin/groups: Bourne shell script text executable
Hope you're running version 1.3.4 :-] BTW it's in the docs, FAQ and rkhunter-users mailing list archives. Also see rkhunter.conf for SCRIPTWHITELIST'ing.


Quote:
Originally Posted by zoran119 View Post
[20:21:18] Checking for enabled inetd services [ Warning ]
[20:21:19] Warning: Found enabled inetd service: time
[20:21:19] Warning: Found enabled inetd service: time
[20:21:19] Warning: Found enabled inetd service: comsat
[20:21:19] Warning: Found enabled inetd service: auth
Informational message for enabled Xinetd services. Check if you need them.


Quote:
Originally Posted by zoran119 View Post
Unable to check for passwd file differences: no copy of the passwd file exists
Informational message for passwd check.


Quote:
Originally Posted by zoran119 View Post
Unable to check for group file differences: no copy of the group file exists.
Informational message for group check.


Quote:
Originally Posted by zoran119 View Post
1. i have had a look at the scripts (groups, ldd) and i cannot tell if they are the genuine ones. all i know is that they have the copyright comment at the start. how do i tell if these are ok?
Verify with a (copy of a ) known good package or an initial run of your filesystem integrity checker (Aide, Samhain, Osiris, rkhunter --propupd, or even tripwire) (if you installed one).


Quote:
Originally Posted by zoran119 View Post
Warning: crontab for nobody found, possible Lupper.Worm...
See rkhunter.log and post details on the rkhunter-users mailing list if necessary.


Quote:
Originally Posted by zoran119 View Post
1. i don't think that slackware comes with any crontab entries so the first warning is ok. is that right?
Can't remember. Check the docs?


Quote:
Originally Posted by zoran119 View Post
2. what do those long lines tell me?
Dunno what check they're about. Maybe dot-files?


Quote:
Originally Posted by zoran119 View Post
3. it seems that the root is running x... should it work this way?
AFAIK, yes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rootkit hunter fakie_flip Linux - Software 1 10-20-2007 02:41 PM
Rootkit Hunter: looking for C++ developers unSpawn Linux - Security 0 07-26-2006 08:03 AM
Rootkit Hunter: looking for C/C++ developers unSpawn Programming 0 07-26-2006 08:03 AM
DISCUSSION: The Rootkit Hunter jeremy LinuxAnswers Discussion 0 10-10-2005 07:36 PM
Rootkit hunter question NNP Linux - Security 1 07-03-2005 06:48 AM


All times are GMT -5. The time now is 02:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration