LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-14-2007, 09:29 AM   #1
mexbeachbum
LQ Newbie
 
Registered: Jul 2007
Distribution: PCLOS 2007, Ubuntu Feisty, Mint
Posts: 21

Rep: Reputation: 15
ChkRootkit Results?


Hi! Can someone please help with some curious results from my latest CHKRootkit scan?

Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not found
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox/.autoreg
/usr/lib/jvm/java-6-sun-1.6.0.00/.systemPrefs
/usr/lib/jvm/.java-6-sun.jinfo
/lib/modules/2.6.20-16-generic/volatile/.mounted

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[4665])


My questions:
(1) What is the difference between not found and not infected?
(2) Bold #1 is this a problem or just java being java
(3) Bold #2 What is this?
(4) Bold #3 (I read elsewhere it is a false positive but I'm leery.)

Rootkithunter returns no problems.

Any help for me, please? I haven't been able to access the chkrootkit website.

Thanks in advance.
 
Old 07-14-2007, 10:20 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
(1) What is the difference between not found and not infected?
Not found means what it means: "this item was not found". Not infected means the item was found, but no traces of malicious modification where encountered.


(2) Bold #1 is this a problem or just java being java
Look closely and you'll see it ain't Java alone, it's about dot-files. In ye aulden days filenames starting with a dot where thought useful for hiding names because you need to use the "-a" switch to list them.


(3) Bold #2 What is this?
Dunno. You find out. If unsure about a file try to get your distro's package manager to identify it, or if your distro's package manager isn't that capable use "file" and maybe "strings" on the file.


(4) Bold #3 (I read elsewhere it is a false positive but I'm leery.)
If /sbin/dhclient3 with PID 4665 *is* the DHCP client, then it's just the way the DHCP client listens (false positive).


Rootkithunter returns no problems.
Do me a favour and run version 1.3.0 from CVS?

Last edited by unSpawn; 07-14-2007 at 10:21 AM.
 
Old 07-14-2007, 12:03 PM   #3
mexbeachbum
LQ Newbie
 
Registered: Jul 2007
Distribution: PCLOS 2007, Ubuntu Feisty, Mint
Posts: 21

Original Poster
Rep: Reputation: 15
Thank you unSpawn for your replies.

What I meant by not found is "is that a problem or is it normal?"

As for the rest, I'm not that familiar with these issues so I don't know to get my package manager to identify it safely (only been here a few months). It sounds to me like I have a problem though.

I've updated Rootkit from terminal and I'm using 1.2.9. I don't know what CVS is. Can you give me a link?

P.S. I need to go for a while a thunderstorm is here (literally). Please let me know - I'll check back later. Thanks.

Last edited by mexbeachbum; 07-14-2007 at 12:05 PM.
 
Old 07-14-2007, 01:52 PM   #4
RoughEdge
Member
 
Registered: Jan 2004
Location: Scotland
Distribution: Slackware 12
Posts: 67

Rep: Reputation: 15
I think what unSpawn meant about the "not found" issue was that the file it was looking for was not on your system, therefore it could not check to see if there were any problems with it. Generally speaking, I would assume that was ok. Just because you don't have it on your system doesn't mean it is something you would need. For example, the "telnetd" shows as not found. The program is checking to see if the telnet deamon is infected but has signified that it can't be found or is not installed on your system, so unless you know that you are running a telnet deamon, it's all good.

What unSpawn meant about checking your package manager was something like this. Please not I am unsure what package manager Ubuntu uses (apt-get??). I will presume apt-get however.

If you were unsure about the package named grep in your output (I know, just humour me). You would do

Code:
$su

$apt-get search grep
If you then see a package called grep, you can be sure it is a real program that is used on linux systems for non-malicous reasons and the program chkrootkit will test to see if it is the original version or if it has been changed.

I hope that made at least some sense.

Last edited by RoughEdge; 07-14-2007 at 02:05 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit results rdwinders Linux - Newbie 4 01-22-2007 03:10 PM
chkrootkit EchoWarrior Linux - Newbie 2 04-20-2006 04:45 PM
when I ./chkrootkit it says .... chemichael Fedora 2 08-18-2005 11:48 PM
chkrootkit ? jmanjeff Linux - Security 2 05-31-2005 11:15 PM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 02:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration