Quote:
Originally Posted by Matir
Assuming you have never logged in as root (i.e., you always use sudo) then I see no problems at all in your report.
|
In short: Matir is right when he says that but IMHO it's better to know why and how to check if you think something looks fishy.
Quote:
Originally Posted by Matir
chkrootkit is not a definite yes-or-no thing, it's just alerting you to things it finds "odd".
|
Short explanation. Filenames that start with a dot are not listed by default and show up if you use 'ls' "-a" switch. Because of that these filenames are (still) considered suspicious. If files are part of a package it is easiest to verify using your distro's package manager. If they are not part of a package you will have to get info with 'stat' to see ownership, access permissions and modification and access times and 'file' to get an idea of the contents. If it appears to be text visual inspection is the easiest way to get a clue, else if it's data try use 'strings'. There's more tools but I won't handle those here. In any case if you're unsure it's best to post in the Linux Security forum.
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
If the closing line (you didn't post) says "Nothing deleted" you're OK. Some processes just don't use utmp or won't update utmp until used, like mingetty. If you think a process name is odd you can use 'lsof' to check who owns it, what files it has opened and what its working directory is, etc etc. If it doesn't say "Nothing deleted" then your login records may have been tampered with which should warrant a system audit. If you need a checklist try for instance the Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html.