LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   possible rootkit found (https://www.linuxquestions.org/questions/linux-newbie-8/possible-rootkit-found-4175617350/)

aidylewis 11-10-2017 09:37 AM
possible rootkit found
 
Hi,

I have been testing rkhunter in a lab environment. I installed Reptile and it wasn't found. But a checker is better than no checker right? I have limited the SSH port and the web port to our organisation IPv4 public range and I am updating the system through cron.daily. I have just run rkhunter on the intended box and its found a Possible rootkits: 1. I have looked through /var/log/rkhunter.log and I am seeing this:

Code:
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[14:59:28] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script, ASCII text executable
[14:59:28]  /sbin/ifup                                      [ Warning ]
[14:59:28] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII text executable
[14:59:29] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable
[14:59:29] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable
[14:59:58]    Checking for TCP port 7000                    [ Found ]
[14:59:58] Warning: Network TCP port 7000 is being used by /opt/jdk1.8.0_131/bin/java. Possible rootkit: Possible rogue IRC bot
Use the 'lsof -i' or 'netstat -an' command to check this.
[15:00:02]  Checking for hidden files and directories      [ Warning ]
[15:00:02] Warning: Hidden directory found: /etc/.java
[15:00:02] Warning: Hidden directory found: /dev/.mount
[15:00:02] Warning: Hidden directory found: /dev/.mdadm
[15:00:02] Warning: Hidden directory found: /dev/.udev
Rebuild?

MensaWater 11-10-2017 09:55 AM
On occasion people DO legitimately replace system files with "wrapper" scripts to make them do things they normally wouldn't.

Since it says these are scripts you should be able to view them with your favorite editor (vim, nano, emacs) to see what they are. Ideally if some admin replaced them there will be comments saying who and why.

As for Java LISTENing on port 7000, there again that may be something that is being done by design. Run "lsof -i :7000" to determine which PID it is then run "ps -ef |grep <PID>" to learn more about the process. It should show you more detail of parameters used at invocation and what user is running it.


All times are GMT -5. The time now is 05:54 PM.