chkrootkit: tcpd
When I run chkrootkit, it reports:
Checking `tcpd'... INFECTED I reinstalled the tcpip package from the Slackware DVD but chkrootkit still returns the same output. |
If you really have a rootkit, you'll probably need to reinstall your system.
unSpawn is our resident security expert (and maintainer of rkhunter, which you may want to try as well) and can probably tell you a lot more than I can. |
What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.
|
Quote:
|
"-d" basically is "set -x", which should show what it reacts on and "-x" dumps all output which could come in handy to see if it's a simple FP based on say a bad anchored grep. You'll find tcpd starting near line 20000, look for "thing=tcpd", continue until the next thing= line, aprox 300 lines of output. Posting the relevant part of the output file looks way too large to post to me so cut out the part, compress it and provide a D/L location if you can or maybe post the lines in some pastebin on teh intarweb and provide a URI?
|
My chkrootkit is version 0.46 .
Code:
# chkrootkit -x -d &> rootkitlog |
This last command returns nothing.
Uh. It's not like I told you to do *that*, didn't I? |
Quote:
|
OK, BTW it's at version 0.47 now. Remembering it can do separate tests, what does "chkrootkit -d tcpd" say?
|
Code:
bash-3.1# chkrootkit tcpd Code:
bash-3.1# chkrootkit -d tcpd |
Checking `tcpd'... not infected
Bummer. Opportunity gone. |
Quote:
|
OK. Let's cut this short, then, dragging on for too long. First upgrade to version 0.47. Then run "chkrootkit -x -d 2>&1>/tmp/logfile", bzip it and post the D/L URI.
|
Did what you said:
http://wilma.vub.ac.be/~lddekeyz/logfile.bz2 |
OK, I read your log:
Code:
wc -l mylog yourlog To summarise: - you replaced the binary from a "known good" source (or so I hope), - running only "tcpd" test does not return INFECTED status, - running with debug and expert flags does not show INFECTED status for tcpd, - Chkrootkit mailing list archives show no relevant threads on this subject, - a diff between version 0.46a and 0.47 shows no differences I can relate to tcpd. I suggest you first make certain (not guess or "assume") your system is clean. If unsure run test from a Live CD like Helix, KNOPPIX(-STD) or equivalent. If it is clean, attach your bzipped log and get on their mailing list or send it to Nelson directly with as much details as you can. I would appreciate it if you post back their findings. Sorry I couldn't be of more help. |
All times are GMT -5. The time now is 06:12 PM. |