LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-13-2007, 06:54 PM   #1
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207

Rep: Reputation: 47
Lightbulb using chkrootkit on my server


I just used chkrootkit-0.47 on my Slackware 12 server running kernel-2.6.22.6 and iptables 1.38. I just installed it last weekend and am fairly certain it's not been cracked into yet. It serves mp3s with gnump3d which uses user nobody along with tor. The only flagged output message with chkrootkit was this:

Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm

Should I be concerned about this? I changed nobody's password with root so that I could login. I cannot login to user nobody....as soon as I login it bounces me out.
 
Old 09-13-2007, 07:42 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
I got the same thing - on an isolated system that I was pretty sure hadn't been compromised during the upgrade. I haven't made the time to check why the following line returns true:
Code:
if  ${CMD} -l -u nobody >/dev/null 2>&1
I'm not worried since according to http://vil.nai.com/vil/content/v_136821.htm, Lupper affects web servers running vulnerable scripts and my web server runs as apache, not nobody. Until I do I've added the following to the chkrootkit cron job on the box and they always confirm that the users do not have a crontab and it's a false positive:
Code:
/usr/bin/crontab -l -u apache 2>&1
/usr/bin/crontab -l -u nobody 2>&1
The code from chkrootkit looks like it's supposed to add the value of the STATUS variable (infected or not) to that message. It could be as simple as the not infected state is not being written to the variable.
 
Old 09-13-2007, 07:57 PM   #3
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207

Original Poster
Rep: Reputation: 47
nice! I get this about crontab for nobody:

no crontab for nobody

Guess it was a false positive!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit EchoWarrior Linux - Newbie 2 04-20-2006 04:45 PM
when I ./chkrootkit it says .... chemichael Fedora 2 08-18-2005 11:48 PM
chkrootkit ? jmanjeff Linux - Security 2 05-31-2005 11:15 PM
chkrootkit-0.45 aaru_ali Mandriva 1 04-25-2005 02:21 AM
I think somethings is not right with the chkrootkit AceTech747 Linux - Security 12 01-27-2004 10:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration