LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   chkrootkit results (https://www.linuxquestions.org/questions/linux-newbie-8/chkrootkit-results-521563/)

rdwinders 01-21-2007 10:11 PM

chkrootkit results
 
I ran chkrootkit as root for the first time this morning.

It saw eclipse files as suspicious: /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.1.R321_v20060803/.options /usr/lib/eclipse/.eclipseextension /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/14/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/7/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/11/1/.cp /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/NKF/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt4/examples/graphicsview/portedasteroids/sprites/.pbm
/usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/14/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/7/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/11/1/.cp

I hadn't yet done anything so I know why the history file was empty:
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero

I have no idea about this z2' user root thing
3.Checking `z2'... user root deleted or never logged from lastlog!

All I know about the TTY stuff is that there is always about 6 tty processes listed when I run "pstree" and I was thinking so far that mingetty was a fax program. I never use the computer to fax from:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2114 tty1 /sbin/mingetty tty1
! root 2125 tty2 /sbin/mingetty tty2
! root 2129 tty3 /sbin/mingetty tty3
! root 2132 tty4 /sbin/mingetty tty4
! root 2135 tty5 /sbin/mingetty tty5
! root 2220 tty7 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -no

Any thoughts on how to get a clean bill of health with chkrootkit?

Matir 01-21-2007 11:44 PM

chkrootkit is not a definite yes-or-no thing, it's just alerting you to things it finds "odd". Assuming you have never logged in as root (i.e., you always use sudo) then I see no problems at all in your report.

rdwinders 01-22-2007 11:58 AM

Well that makes me feel a little better.
I dreamed I was hacked last night.

unSpawn 01-22-2007 12:37 PM

Quote:

Originally Posted by Matir
Assuming you have never logged in as root (i.e., you always use sudo) then I see no problems at all in your report.

In short: Matir is right when he says that but IMHO it's better to know why and how to check if you think something looks fishy.

Quote:

Originally Posted by Matir
chkrootkit is not a definite yes-or-no thing, it's just alerting you to things it finds "odd".

Short explanation. Filenames that start with a dot are not listed by default and show up if you use 'ls' "-a" switch. Because of that these filenames are (still) considered suspicious. If files are part of a package it is easiest to verify using your distro's package manager. If they are not part of a package you will have to get info with 'stat' to see ownership, access permissions and modification and access times and 'file' to get an idea of the contents. If it appears to be text visual inspection is the easiest way to get a clue, else if it's data try use 'strings'. There's more tools but I won't handle those here. In any case if you're unsure it's best to post in the Linux Security forum.


Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !

If the closing line (you didn't post) says "Nothing deleted" you're OK. Some processes just don't use utmp or won't update utmp until used, like mingetty. If you think a process name is odd you can use 'lsof' to check who owns it, what files it has opened and what its working directory is, etc etc. If it doesn't say "Nothing deleted" then your login records may have been tampered with which should warrant a system audit. If you need a checklist try for instance the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.

rdwinders 01-22-2007 03:10 PM

unSpawn,
Thanks for that. I will definitely post more questions in the Security forum.
Currently, I always get a command not recognized when I try 'lsof.' It doesn't matter if I run it as a user, su or root. I gather it's not there.
I'll try a locate and if I don't get anything, I'll look for it in the repository.


All times are GMT -5. The time now is 12:27 AM.