possible rootkit found
Hi,
I have been testing rkhunter in a lab environment. I installed Reptile and it wasn't found. But a checker is better than no checker right? I have limited the SSH port and the web port to our organisation IPv4 public range and I am updating the system through cron.daily. I have just run rkhunter on the intended box and its found a Possible rootkits: 1. I have looked through /var/log/rkhunter.log and I am seeing this: Code:
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable |
On occasion people DO legitimately replace system files with "wrapper" scripts to make them do things they normally wouldn't.
Since it says these are scripts you should be able to view them with your favorite editor (vim, nano, emacs) to see what they are. Ideally if some admin replaced them there will be comments saying who and why. As for Java LISTENing on port 7000, there again that may be something that is being done by design. Run "lsof -i :7000" to determine which PID it is then run "ps -ef |grep <PID>" to learn more about the process. It should show you more detail of parameters used at invocation and what user is running it. |
All times are GMT -5. The time now is 05:54 PM. |