chkrootkit results
I ran chkrootkit as root for the first time this morning.
It saw eclipse files as suspicious: /usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.1.R321_v20060803/.options /usr/lib/eclipse/.eclipseextension /usr/lib/eclipse/configuration/org.eclipse.osgi/.bundledata.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.4 /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTableLock /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager/.fileTable.5 /usr/lib/eclipse/configuration/org.eclipse.osgi/.lazy.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/.state.1 /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/14/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/7/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/11/1/.cp /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/NKF/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DCOP/.packlist /usr/lib/qt-3.3/etc/settings/.qtrc.lock /usr/lib/qt-3.3/etc/settings/.kstylerc.lock /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock /usr/lib/qt4/examples/graphicsview/portedasteroids/sprites/.pbm /usr/lib/eclipse/configuration/org.eclipse.osgi/.manager /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/14/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/7/1/.cp /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/11/1/.cp I hadn't yet done anything so I know why the history file was empty: Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero I have no idea about this z2' user root thing 3.Checking `z2'... user root deleted or never logged from lastlog! All I know about the TTY stuff is that there is always about 6 tty processes listed when I run "pstree" and I was thinking so far that mingetty was a fax program. I never use the computer to fax from: Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 2114 tty1 /sbin/mingetty tty1 ! root 2125 tty2 /sbin/mingetty tty2 ! root 2129 tty3 /sbin/mingetty tty3 ! root 2132 tty4 /sbin/mingetty tty4 ! root 2135 tty5 /sbin/mingetty tty5 ! root 2220 tty7 /usr/bin/Xorg :0 -audit 0 -auth /var/gdm/:0.Xauth -no Any thoughts on how to get a clean bill of health with chkrootkit? |
chkrootkit is not a definite yes-or-no thing, it's just alerting you to things it finds "odd". Assuming you have never logged in as root (i.e., you always use sudo) then I see no problems at all in your report.
|
Well that makes me feel a little better.
I dreamed I was hacked last night. |
Quote:
Quote:
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! If the closing line (you didn't post) says "Nothing deleted" you're OK. Some processes just don't use utmp or won't update utmp until used, like mingetty. If you think a process name is odd you can use 'lsof' to check who owns it, what files it has opened and what its working directory is, etc etc. If it doesn't say "Nothing deleted" then your login records may have been tampered with which should warrant a system audit. If you need a checklist try for instance the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. |
unSpawn,
Thanks for that. I will definitely post more questions in the Security forum. Currently, I always get a command not recognized when I try 'lsof.' It doesn't matter if I run it as a user, su or root. I gather it's not there. I'll try a locate and if I don't get anything, I'll look for it in the repository. |
All times are GMT -5. The time now is 12:27 AM. |