Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just attempted to install chkrootkit on debian 8.1 (running 4.9 kernel from http://kernel.ubuntu.com).
The package didn't configure and produced errors:
Code:
sudo: unable to open /var/lib/sudo/ts/#####: Read-only file system
Can't locate warnings/register.pm in @INC (you may need to install the warnings::register module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl .) at /usr/share/perl/5.20/vars.pm line 7.
BEGIN failed--compilation aborted at /usr/share/perl/5.20/vars.pm line 7.
Compilation failed in require at /usr/share/perl/5.20/base.pm line 4.
BEGIN failed--compilation aborted at /usr/share/perl/5.20/base.pm line 4.
Compilation failed in require at /usr/share/perl5/Debconf/Log.pm line 7.
BEGIN failed--compilation aborted at /usr/share/perl5/Debconf/Log.pm line 7.
Compilation failed in require at /usr/share/perl5/Debconf/Db.pm line 7.
BEGIN failed--compilation aborted at /usr/share/perl5/Debconf/Db.pm line 7.
Compilation failed in require at /usr/sbin/dpkg-reconfigure line 11.
BEGIN failed--compilation aborted at /usr/sbin/dpkg-reconfigure line 11.
The weird thing that has me concerned is, I did something else in the terminal window, and when I checked the scrollback all the error text had been erased.
I reproduced the error above with dpkg-reconfigure. (again scrollback was erased, and this time it was ALL of it, not just the error)
My rootfs is now in read-only mode!
So I don't know if I'm infected. I'm thinking it's just mis-configuration somewhere, or a package dependency issue.
Any thoughts?
UPDATE:
Since my system was in read only mode, I rebooted and a manual fsck was forced. There were many files with deleted inodes that fsck fixed. The other errors fixed were: "Free blocks count wrong for...", and "Free inodes count wrong for ..."
Last edited by tcz; 03-23-2018 at 08:44 AM.
Reason: UPDATE:
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by tcz
I just attempted to install chkrootkit on debian 8.1 (running 4.9 kernel from http://kernel.ubuntu.com).
The package didn't configure and produced errors:
Code:
sudo: unable to open /var/lib/sudo/ts/#####: Read-only file system
Can't locate warnings/register.pm in @INC (you may need to install the warnings::register module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl .) at /usr/share/perl/5.20/vars.pm line 7.
BEGIN failed--compilation aborted at /usr/share/perl/5.20/vars.pm line 7.
Compilation failed in require at /usr/share/perl/5.20/base.pm line 4.
BEGIN failed--compilation aborted at /usr/share/perl/5.20/base.pm line 4.
Compilation failed in require at /usr/share/perl5/Debconf/Log.pm line 7.
BEGIN failed--compilation aborted at /usr/share/perl5/Debconf/Log.pm line 7.
Compilation failed in require at /usr/share/perl5/Debconf/Db.pm line 7.
BEGIN failed--compilation aborted at /usr/share/perl5/Debconf/Db.pm line 7.
Compilation failed in require at /usr/sbin/dpkg-reconfigure line 11.
BEGIN failed--compilation aborted at /usr/sbin/dpkg-reconfigure line 11.
The weird thing that has me concerned is, I did something else in the terminal window, and when I checked the scrollback all the error text had been erased.
I reproduced the error above with dpkg-reconfigure. (again scrollback was erased, and this time it was ALL of it, not just the error)
My rootfs is now in read-only mode!
So I don't know if I'm infected. I'm thinking it's just mis-configuration somewhere, or a package dependency issue.
Any thoughts?
I have to be honest in saying that, I'm not seeing anything from what you have said that makes me think your system is "infected" by a "rootkit".
But that aside, did you inspect lines 4, 7 or 11 ? How can we know if you don't say?
Why don't you just install rkhunter from your package manager instead? Wouldn't that be a lot easier?
Hi jsbjsb001,
Thank you for the prompt response. I've replied to your message below.
Quote:
Originally Posted by jsbjsb001
I have to be honest in saying that, I'm not seeing anything from what you have said that makes me think your system is "infected" by a "rootkit".
It's the weird behavior that has me concerned. Isn't one of the directives of the rootkit builder to stop any software that would track it down and remove it.
Quote:
Originally Posted by jsbjsb001
But that aside, did you inspect lines 4, 7 or 11 ? How can we know if you don't say?
Sorry, but I don't think that I should be responsible to debug a package install. That would be perhaps a bug I would (should?) file with the package maintainer.
Quote:
Originally Posted by jsbjsb001
Why don't you just install rkhunter from your package manager instead? Wouldn't that be a lot easier?
Distribution: Currently: OpenMandriva. Previously: openSUSE, PCLinuxOS, CentOS, among others over the years.
Posts: 3,881
Rep:
Quote:
Originally Posted by tcz
Hi jsbjsb001,
...
It's the weird behavior that has me concerned. Isn't one of the directives of the rootkit builder to stop any software that would track it down and remove it.
I think you're getting two different concepts mixed up; installing something and compiling something are two different things, not one of the same thing. Yes, you would still need to 'install' xy or z onto your system AFTER you have compiled it, if you're not installing it via software packages. Compiling something on the other hand is the act of taking something from being just a bunch of code (human-readable code that is) to machine code that the processor understands as a set of instructions to execute when run.
Yes, if for example there's a problem in the code and it cannot continue building it, it should stop at that point, until you fix the problem.
Quote:
Sorry, but I don't think that I should be responsible to debug a package install. That would be perhaps a bug I would (should?) file with the package maintainer.
That's why I suggested you install rkhunter from your package manager instead.
I think your disk did not respond for some time, and the disk driver in the kernel got impationed and set the filesystem to read-only.
It was not necessarily caused by your installation attempt - any prior writing to the disk can have triggered the fault.
Maybe your disk becomes faulty?
Is your disk accessed over a network (SAN,ISCSI,or a virtualized disk)? Then a network disturbance can have caused it.
Last edited by MadeInGermany; 03-23-2018 at 11:20 AM.
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
It looks like a disk defect causing the system to remount the root file system as read only. Check the drive with smartctl. If you don't have it installed, it's part of smartmon-tools.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.