ChkRootkit Results?

mexbeachbum · 07-14-2007, 09:29 AM

Hi! Can someone please help with some curious results from my latest CHKRootkit scan?

Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not found
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox/.autoreg
/usr/lib/jvm/java-6-sun-1.6.0.00/.systemPrefs
/usr/lib/jvm/.java-6-sun.jinfo
/lib/modules/2.6.20-16-generic/volatile/.mounted

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[4665])

My questions:
(1) What is the difference between not found and not infected?
(2) Bold #1 is this a problem or just java being java
(3) Bold #2 What is this?
(4) Bold #3 (I read elsewhere it is a false positive but I'm leery.)

Rootkithunter returns no problems.

Any help for me, please? I haven't been able to access the chkrootkit website.

Thanks in advance.

unSpawn · 07-14-2007, 10:20 AM

(1) What is the difference between not found and not infected?
Not found means what it means: "this item was not found". Not infected means the item was found, but no traces of malicious modification where encountered.

(2) Bold #1 is this a problem or just java being java
Look closely and you'll see it ain't Java alone, it's about dot-files. In ye aulden days filenames starting with a dot where thought useful for hiding names because you need to use the "-a" switch to list them.

(3) Bold #2 What is this?
Dunno. You find out. If unsure about a file try to get your distro's package manager to identify it, or if your distro's package manager isn't that capable use "file" and maybe "strings" on the file.

(4) Bold #3 (I read elsewhere it is a false positive but I'm leery.)
If /sbin/dhclient3 with PID 4665 *is* the DHCP client, then it's just the way the DHCP client listens (false positive).

Rootkithunter returns no problems.
Do me a favour and run version 1.3.0 from CVS?

mexbeachbum · 07-14-2007, 12:03 PM

Thank you unSpawn for your replies.

What I meant by not found is "is that a problem or is it normal?"

As for the rest, I'm not that familiar with these issues so I don't know to get my package manager to identify it safely (only been here a few months). It sounds to me like I have a problem though.

I've updated Rootkit from terminal and I'm using 1.2.9. I don't know what CVS is. Can you give me a link?

P.S. I need to go for a while a thunderstorm is here (literally). Please let me know - I'll check back later. Thanks.

RoughEdge · 07-14-2007, 01:52 PM

I think what unSpawn meant about the "not found" issue was that the file it was looking for was not on your system, therefore it could not check to see if there were any problems with it. Generally speaking, I would assume that was ok. Just because you don't have it on your system doesn't mean it is something you would need. For example, the "telnetd" shows as not found. The program is checking to see if the telnet deamon is infected but has signified that it can't be found or is not installed on your system, so unless you know that you are running a telnet deamon, it's all good.

What unSpawn meant about checking your package manager was something like this. Please not I am unsure what package manager Ubuntu uses (apt-get??). I will presume apt-get however.

If you were unsure about the package named grep in your output (I know, just humour me). You would do

Code:

$su

$apt-get search grep

If you then see a package called grep, you can be sure it is a real program that is used on linux systems for non-malicous reasons and the program chkrootkit will test to see if it is the original version or if it has been changed.

I hope that made at least some sense.