LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-10-2017, 09:37 AM   #1
aidylewis
LQ Newbie
 
Registered: Apr 2016
Posts: 25

Rep: Reputation: Disabled
possible rootkit found


Hi,

I have been testing rkhunter in a lab environment. I installed Reptile and it wasn't found. But a checker is better than no checker right? I have limited the SSH port and the web port to our organisation IPv4 public range and I am updating the system through cron.daily. I have just run rkhunter on the intended box and its found a Possible rootkits: 1. I have looked through /var/log/rkhunter.log and I am seeing this:

Code:
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[14:59:28] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script, ASCII text executable
[14:59:28]   /sbin/ifup                                      [ Warning ]
[14:59:28] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script, ASCII text executable
[14:59:29] Warning: The command '/bin/egrep' has been replaced by a script: /bin/egrep: POSIX shell script, ASCII text executable
[14:59:29] Warning: The command '/bin/fgrep' has been replaced by a script: /bin/fgrep: POSIX shell script, ASCII text executable
[14:59:58]     Checking for TCP port 7000                    [ Found ]
[14:59:58] Warning: Network TCP port 7000 is being used by /opt/jdk1.8.0_131/bin/java. Possible rootkit: Possible rogue IRC bot
Use the 'lsof -i' or 'netstat -an' command to check this.
[15:00:02]   Checking for hidden files and directories       [ Warning ]
[15:00:02] Warning: Hidden directory found: /etc/.java
[15:00:02] Warning: Hidden directory found: /dev/.mount
[15:00:02] Warning: Hidden directory found: /dev/.mdadm
[15:00:02] Warning: Hidden directory found: /dev/.udev
Rebuild?
 
Old 11-10-2017, 09:55 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
On occasion people DO legitimately replace system files with "wrapper" scripts to make them do things they normally wouldn't.

Since it says these are scripts you should be able to view them with your favorite editor (vim, nano, emacs) to see what they are. Ideally if some admin replaced them there will be comments saying who and why.

As for Java LISTENing on port 7000, there again that may be something that is being done by design. Run "lsof -i :7000" to determine which PID it is then run "ps -ef |grep <PID>" to learn more about the process. It should show you more detail of parameters used at invocation and what user is running it.

Last edited by MensaWater; 11-10-2017 at 10:17 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] rkhunter 1.4.2 volc rootkit found & then gone? TommyC7 Linux - Security 4 05-03-2014 08:29 PM
rootkit hunter false positive for Xzibit Rootkit on CentOS 4.8? abefroman Linux - Security 2 12-20-2009 08:19 AM
rootkit hunter warning found differences in output kernel modules opto Linux - Security 6 02-06-2007 07:30 PM
Tripwire found rootkit? super-mouse Linux - Security 3 08-30-2006 11:03 PM
LXer: SECURITY: Easy Rootkit Crontab Exploit Found LXer Syndicated Linux News 0 07-19-2006 04:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration