LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-31-2006, 02:27 PM   #1
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Rep: Reputation: 63
question about chrootkit's output


hi all,

I just ran chrootkit and was wondering if this is a normal output. The chrootkit doesn't say anything is bad. I believe it's just saying that it scanned these files.

I ran chrootkit as root with the "./chrootkit" command. Everything on my screen was either 'not infected' or 'not found'.

But this section here, well it did not say anything and I was wondering if this is a normal output.

I tested a slackware 10.2 box.

Quote:
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/Image/Magick/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/DCOP/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Gaim/.packlist /usr/lib/perl5/5.8.7/i486-linux/.packlist /usr/lib/python2.4/site-packages/freeze/.cvsignore /usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.depdblock /usr/lib/php/.depdb /usr/lib/firefox-1.5.0.5/.autoreg /usr/lib/qt-3.3.4/.qmake.cache /usr/lib/qt-3.3.4/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt-3.3.4/examples/toplevel/.ui /usr/lib/qt-3.3.4/examples/helpdemo/.ui /lib/modules/fglrx/build_mod/2.6.x/.tmp_versions /lib/modules/fglrx/build_mod/2.6.x/.firegl_public.o.cmd /lib/modules/fglrx/build_mod/2.6.x/.fglrx.o.cmd /lib/modules/fglrx/build_mod/2.6.x/.fglrx.mod.o.cmd /lib/modules/fglrx/build_mod/2.6.x/.fglrx.ko.cmd
/usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/qt-3.3.4/examples/toplevel/.ui /usr/lib/qt-3.3.4/examples/helpdemo/.ui /lib/modules/fglrx/build_mod/2.6.x/.tmp_versions
Searching for LPD Worm files and dirs... nothing found
Thank you in advance.
 
Old 07-31-2006, 02:50 PM   #2
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Original Poster
Rep: Reputation: 63
I also ran rkhunter, and from what I can see by others posting this output is supposed to be normal also? Could someone please confirm?

Thank you so much.

Quote:
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev.tdb /etc/.pwd.lock
---------------
Please inspect: /dev/.udev.tdb (directory)
 
Old 07-31-2006, 05:54 PM   #3
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
The chkrootkit output looks similar to mine (see below). It's finding the hidden files and reporting them. On my system I know those files are OK, because I installed the modules myself.
Code:
/usr/lib/perl5/5.8.8/i486-linux/auto/Gaim/.packlist /usr/lib/perl5/5.8.8/i486-linux/auto/DB_File/.packlist /usr/lib/perl5/5.8.8/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/DCOP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Image/Magick/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/NetAddr/IP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/IP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/CIDR/Lite/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/Ident/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Sys/Hostname/Long/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Mail/SPF/Query/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/IP/Country/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/LWP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Archive/Tar/.packlist /usr/lib/ICAClient/.config /usr/lib/ICAClient/config/.server /usr/lib/qt-3.3.6/.qmake.cache /usr/lib/qt-3.3.6/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt-3.3.6/examples/toplevel/.ui /usr/lib/qt-3.3.6/examples/helpdemo/.ui /usr/lib/firefox-1.5.0.5/.autoreg
/usr/lib/ICAClient/.config /usr/lib/qt-3.3.6/examples/toplevel/.ui /usr/lib/qt-3.3.6/examples/helpdemo/.ui
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! -Ddisable.checkForUpdate=true       0 home=/u01/app/oracle/product/10.-Ddisable.checkForUpdate=true -Djava.awt.headless=true -jar /u01/app/oracle/product/10.2.0/db_1/oc4j/j2ee/home/oc4j.jar -config /u01/app/oracle/product/10.2.0/db_1/oc4j/j2ee/OC4J_DBConsole_fender.inflections.com.au_steve/config/server.xml
! root         6461 tty7   /usr/X11R6/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-LSrIiC
In the rkhunter output, the /etc/.pwd.lock is also on my system. The /usr/local/etc/rkhunter.conf file has the following so I wouldn't be too worried about your output:
Code:
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/etc/.pwd.lock
I may be naive for trusting the developers of chkrootkit & rkhunter - but as far as I can tell my boxes are in good shape.
 
Old 07-31-2006, 09:13 PM   #4
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Original Poster
Rep: Reputation: 63
Thanks for the reply gilead. It's good to get some feed back.

Regarding trust for chrootkit & rkhunter: I was following Jeremy of LQ's guide for security, is there anything else you think I may want to look into.

I'm getting so close to being slackware only now and I'm in the final stage, which will probably take a lifetime, but trying to figure out how to "lock-down" my computer too and develop good security from the beginning.

I've got the firewall, antivirus part and just started these 2 app's for rootkit's. Any other pointers greatly appreciated.
 
Old 07-31-2006, 11:32 PM   #5
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
hmmm, where to start...

I get an email each morning with the output of chkrootkit and rkhunter's scans (cron is my friend). I also get an email from logwatch. Jeremy has an article on this at http://www.linuxquestions.org/linux/..._Watching_DVDs. If you don't feel like installing it manually, there's a package at logwatch-5.2.2-noarch-1aru.tgz. It provides a summary of my web, mail and samba logs - if anything looks odd I check through the main log file.

I also have calamaris sending me reports from my proxy server and a bash script that summarises the minor log files to a web page and emails me when it's done.

Another audit tool I quite like is tripwire. However, it's no good on boxes where you're tinkering or updating stuff every couple of days - the number of false positives will drive you crazy. If you decide to look at it I posted some stuff on installing it here at http://www.linuxquestions.org/questi...93#post2035193.

Occasionally I browse the pages here at http://www.linuxquestions.org/questi...ad.php?t=45261 - there's a heap of good stuff there.

I've been off sick from work the last 2 days so I'm sure there's other stuff I'm forgetting - I'll grab a coffee and read other folks' suggestions here, maybe that will get my brain working again
 
Old 08-01-2006, 02:04 AM   #6
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519

Original Poster
Rep: Reputation: 63
LOL, woh, be careful of what you ask for you might get it... a ton of reading that is.

No i"m joking thank you soooo very much. I'm going to get started on reading that all too, after I grab me a cup of coffee too

Bye for now.
 
Old 08-01-2006, 02:54 AM   #7
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
No problem - I hope it's useful
 
Old 08-01-2006, 09:32 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Just don't try to read all at once or you'll need more than coffee.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
dual dvi output question CanuckFlyboy Linux - Hardware 1 07-13-2006 04:21 PM
Question about output for php Hockeyfan Programming 1 03-14-2006 10:30 AM
question about output from KDE to terminal microsoft/linux Debian 0 08-19-2005 09:42 PM
iwconfig output question scowles Linux - Wireless Networking 2 12-03-2004 06:11 PM
C Output Question drigz Programming 13 09-10-2004 08:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration