Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-31-2006, 02:27 PM
|
#1
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Rep:
|
question about chrootkit's output
hi all,
I just ran chrootkit and was wondering if this is a normal output. The chrootkit doesn't say anything is bad. I believe it's just saying that it scanned these files.
I ran chrootkit as root with the "./chrootkit" command. Everything on my screen was either 'not infected' or 'not found'.
But this section here, well it did not say anything and I was wondering if this is a normal output.
I tested a slackware 10.2 box.
Quote:
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/Image/Magick/.packlist /usr/lib/perl5/site_perl/5.8.7/i486-linux/auto/DCOP/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Irssi/.packlist /usr/lib/perl5/5.8.7/i486-linux/auto/Gaim/.packlist /usr/lib/perl5/5.8.7/i486-linux/.packlist /usr/lib/python2.4/site-packages/freeze/.cvsignore /usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.depdblock /usr/lib/php/.depdb /usr/lib/firefox-1.5.0.5/.autoreg /usr/lib/qt-3.3.4/.qmake.cache /usr/lib/qt-3.3.4/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt-3.3.4/examples/toplevel/.ui /usr/lib/qt-3.3.4/examples/helpdemo/.ui /lib/modules/fglrx/build_mod/2.6.x/.tmp_versions /lib/modules/fglrx/build_mod/2.6.x/.firegl_public.o.cmd /lib/modules/fglrx/build_mod/2.6.x/.fglrx.o.cmd /lib/modules/fglrx/build_mod/2.6.x/.fglrx.mod.o.cmd /lib/modules/fglrx/build_mod/2.6.x/.fglrx.ko.cmd
/usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/qt-3.3.4/examples/toplevel/.ui /usr/lib/qt-3.3.4/examples/helpdemo/.ui /lib/modules/fglrx/build_mod/2.6.x/.tmp_versions
Searching for LPD Worm files and dirs... nothing found
|
Thank you in advance.
|
|
|
07-31-2006, 02:50 PM
|
#2
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Original Poster
Rep:
|
I also ran rkhunter, and from what I can see by others posting this output is supposed to be normal also? Could someone please confirm?
Thank you so much.
Quote:
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/dev/.udev.tdb /etc/.pwd.lock
---------------
Please inspect: /dev/.udev.tdb (directory)
|
|
|
|
07-31-2006, 05:54 PM
|
#3
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
The chkrootkit output looks similar to mine (see below). It's finding the hidden files and reporting them. On my system I know those files are OK, because I installed the modules myself.
Code:
/usr/lib/perl5/5.8.8/i486-linux/auto/Gaim/.packlist /usr/lib/perl5/5.8.8/i486-linux/auto/DB_File/.packlist /usr/lib/perl5/5.8.8/i486-linux/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/DCOP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Image/Magick/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/NetAddr/IP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/IP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/CIDR/Lite/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/Ident/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Sys/Hostname/Long/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Mail/SPF/Query/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/IP/Country/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/LWP/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-linux/auto/Archive/Tar/.packlist /usr/lib/ICAClient/.config /usr/lib/ICAClient/config/.server /usr/lib/qt-3.3.6/.qmake.cache /usr/lib/qt-3.3.6/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt-3.3.6/examples/toplevel/.ui /usr/lib/qt-3.3.6/examples/helpdemo/.ui /usr/lib/firefox-1.5.0.5/.autoreg
/usr/lib/ICAClient/.config /usr/lib/qt-3.3.6/examples/toplevel/.ui /usr/lib/qt-3.3.6/examples/helpdemo/.ui
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! -Ddisable.checkForUpdate=true 0 home=/u01/app/oracle/product/10.-Ddisable.checkForUpdate=true -Djava.awt.headless=true -jar /u01/app/oracle/product/10.2.0/db_1/oc4j/j2ee/home/oc4j.jar -config /u01/app/oracle/product/10.2.0/db_1/oc4j/j2ee/OC4J_DBConsole_fender.inflections.com.au_steve/config/server.xml
! root 6461 tty7 /usr/X11R6/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-LSrIiC
In the rkhunter output, the /etc/.pwd.lock is also on my system. The /usr/local/etc/rkhunter.conf file has the following so I wouldn't be too worried about your output:
Code:
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev.tdb
ALLOWHIDDENDIR=/etc/.pwd.lock
I may be naive for trusting the developers of chkrootkit & rkhunter - but as far as I can tell my boxes are in good shape.
|
|
|
07-31-2006, 09:13 PM
|
#4
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Original Poster
Rep:
|
Thanks for the reply gilead. It's good to get some feed back.
Regarding trust for chrootkit & rkhunter: I was following Jeremy of LQ's guide for security, is there anything else you think I may want to look into.
I'm getting so close to being slackware only now and I'm in the final stage, which will probably take a lifetime, but trying to figure out how to "lock-down" my computer too and develop good security from the beginning.
I've got the firewall, antivirus part and just started these 2 app's for rootkit's. Any other pointers greatly appreciated.
|
|
|
07-31-2006, 11:32 PM
|
#5
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
hmmm, where to start...
I get an email each morning with the output of chkrootkit and rkhunter's scans (cron is my friend). I also get an email from logwatch. Jeremy has an article on this at http://www.linuxquestions.org/linux/..._Watching_DVDs. If you don't feel like installing it manually, there's a package at logwatch-5.2.2-noarch-1aru.tgz. It provides a summary of my web, mail and samba logs - if anything looks odd I check through the main log file.
I also have calamaris sending me reports from my proxy server and a bash script that summarises the minor log files to a web page and emails me when it's done.
Another audit tool I quite like is tripwire. However, it's no good on boxes where you're tinkering or updating stuff every couple of days - the number of false positives will drive you crazy. If you decide to look at it I posted some stuff on installing it here at http://www.linuxquestions.org/questi...93#post2035193.
Occasionally I browse the pages here at http://www.linuxquestions.org/questi...ad.php?t=45261 - there's a heap of good stuff there.
I've been off sick from work the last 2 days so I'm sure there's other stuff I'm forgetting - I'll grab a coffee and read other folks' suggestions here, maybe that will get my brain working again
|
|
|
08-01-2006, 02:04 AM
|
#6
|
Senior Member
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,519
Original Poster
Rep:
|
LOL, woh, be careful of what you ask for you might get it... a ton of reading that is.
No i"m joking thank you soooo very much. I'm going to get started on reading that all too, after I grab me a cup of coffee too
Bye for now.
|
|
|
08-01-2006, 02:54 AM
|
#7
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
No problem - I hope it's useful
|
|
|
08-01-2006, 09:32 AM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Just don't try to read all at once or you'll need more than coffee.
|
|
|
All times are GMT -5. The time now is 12:56 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|