Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you really have a rootkit, you'll probably need to reinstall your system.
unSpawn is our resident security expert (and maintainer of rkhunter, which you may want to try as well) and can probably tell you a lot more than I can.
What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.
What version of Chkrootkit? Please run Chkrootkit with the "-x" and "-d" flags, output to file, then post the relevant part of output between BB code tags. If you have any doubt use the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html to get assurance. If you have more than a hunch run checks from a Live CD like Hlix, KNOPPIX-(STD), Fire or equiv.
"-d" basically is "set -x", which should show what it reacts on and "-x" dumps all output which could come in handy to see if it's a simple FP based on say a bad anchored grep. You'll find tcpd starting near line 20000, look for "thing=tcpd", continue until the next thing= line, aprox 300 lines of output. Posting the relevant part of the output file looks way too large to post to me so cut out the part, compress it and provide a D/L location if you can or maybe post the lines in some pastebin on teh intarweb and provide a URI?
bash-3.1# chkrootkit tcpd
ROOTDIR is `/'
Checking `tcpd'... not infected
Code:
bash-3.1# chkrootkit -d tcpd
+ '[' / '!=' / ']'
+ '[' '' '!=' t ']'
+ echo 'ROOTDIR is `/'\'''
ROOTDIR is `/'
+ for cmd in '${LIST}'
+ echo 'amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write'
+ /usr/bin/egrep '(^|[^A-Za-z0-9_])tcpd([^A-Za-z0-9_]|$)'
+ '[' '' '!=' t -a '' '!=' t ']'
+ printn 'Checking `tcpd'\''... '
++ /usr/bin/echo 'a\c'
++ /usr/bin/egrep c
+ /usr/bin/echo -n 'Checking `tcpd'\''... '
Checking `tcpd'... + chk_tcpd
+ STATUS=1
+ TCPD_INFECTED_LABEL='p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux'
+ '[' -r /etc/inetd.conf ']'
+ /usr/bin/ps auwx
+ /usr/bin/egrep xinetd
+ /usr/bin/egrep -v grep
+ '[' -z '' ']'
++ loc tcpd tcpd /usr/pkg/java/sun-1.5/bin /usr/pkg/bin /usr/pkg/xorg/bin /usr/pkg/java/sun-1.5/bin /usr/pkg/bin /usr/pkg/xorg/bin /usr/local/bin /usr/bin /bin /usr/X11R6/bin /usr/games . /sbin /usr/sbin /lib /usr/lib /usr/libexec .
++ thing=tcpd
++ shift
++ dflt=tcpd
++ shift
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/java/sun-1.5/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/xorg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/java/sun-1.5/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/pkg/xorg/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/local/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/X11R6/bin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/games/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f ./tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /sbin/tcpd
++ for dir in '$*'
++ case "$thing" in
++ for thisthing in '$dir/$thing'
++ :
++ test -f /usr/sbin/tcpd
++ echo /usr/sbin/tcpd
++ exit 0
+ CMD=/usr/sbin/tcpd
+ '[' tcpd = /usr/sbin/tcpd ']'
+ '[' '' = t ']'
+ /usr/bin/strings -a /usr/sbin/tcpd
+ /usr/bin/egrep 'p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux'
+ return 1
+ STATUS=1
+ '[' '' = t ']'
+ case $STATUS in
+ echo 'not infected'
not infected
OK. Let's cut this short, then, dragging on for too long. First upgrade to version 0.47. Then run "chkrootkit -x -d 2>&1>/tmp/logfile", bzip it and post the D/L URI.
Then checked yourlog to see if they where related to /usr/sbin/tcpd. None where. Also no "infected" status found for tcpd. Besides, there's way too many output differences. Did you upgrade to version 0.47 (just to make sure)? Now I think I'm pretty comfortable with Chkrootkit in many aspects, but this got me baffled.
To summarise:
- you replaced the binary from a "known good" source (or so I hope),
- running only "tcpd" test does not return INFECTED status,
- running with debug and expert flags does not show INFECTED status for tcpd,
- Chkrootkit mailing list archives show no relevant threads on this subject,
- a diff between version 0.46a and 0.47 shows no differences I can relate to tcpd.
I suggest you first make certain (not guess or "assume") your system is clean. If unsure run test from a Live CD like Helix, KNOPPIX(-STD) or equivalent. If it is clean, attach your bzipped log and get on their mailing list or send it to Nelson directly with as much details as you can. I would appreciate it if you post back their findings.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.