weird pregmatch in chkrootkit

qwertyjjj · 09-27-2009, 04:00 AM

I got this in ym chkrootkit today whereas before it has been clean.
ANy ideas?

Code:

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3187 tty6   /sbin/mingetty tty6
! RSTART      24942 r(filename, - 1);?      } else {?        filename_no_gz = filename;?      }?      match(filename_no_gz, "/[^/]+$");?      progname = substr(filename, RSTART + 1, RLENGTH - 1);?      if (match(progname, "\\." section "[A-Za-z]+")) {?        actual_section = substr(progna! da?         16232 |      $2 ~ /^NUME/ ||             # ro?            $2 ~ /^BEZEICHNUNG/ ||      # de?            $2 ~ /^NOMBRE/ ||           # es?            $2 ~ /^NIMI/ ||             # fi?            $2 ~ /^NOM/ ||              # fr?            $2 ~ /^IME/ ||              # sh?chkutmp: nothing deleted

unSpawn · 09-27-2009, 04:17 AM

The PID of the process is known (24942), so what does 'lsof -P -w -n -p 24942' show? (Most likely this is 'makewhatis'. As answer that may be satisfactory but that's wrong: you should focus on the methods you need to be able to find out things yourself.)

qwertyjjj · 09-27-2009, 04:27 AM

Quote:

Originally Posted by unSpawn

The PID of the process is known (24942), so what does 'lsof -P -w -n -p 24942' show? (Most likely this is 'makewhatis'. As answer that may be satisfactory but that's wrong: you should focus on the methods you need to be able to find out things yourself.)

lsof 24942 shows nothing.
Just strange that nothing had been appearing with all those charatcters in recent reports

When I rerun now I only get this. It looks like the code of chkrootkit somehow came out in the report ?

Code:

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3187 tty6   /sbin/mingetty tty6
chkutmp: nothing deleted

unSpawn · 09-27-2009, 04:46 AM

Quote:

Originally Posted by qwertyjjj

lsof 24942 shows nothing.

Please be precise. I said 'lsof -P -w -n -p 24942'!

Quote:

Originally Posted by qwertyjjj

Just strange that nothing had been appearing with all those charatcters in recent reports

Because the process already finished?..

Quote:

Originally Posted by qwertyjjj

It looks like the code of chkrootkit somehow came out in the report ?

I already pointed you to 'makewhatis' and I said you should focus on the methods of getting information. So: 'locate makewhatis; file /usr/sbin/makewhatis; grep filename_no_gz /usr/sbin/makewhatis'. If you think "the code of chkrootkit somehow came out in the report" then by all means try: 'locate chkrootkit; file /path/to/chkrootkit; grep filename_no_gz /path/to/chkrootkit', OK?

qwertyjjj · 09-27-2009, 05:01 AM

Quote:

Originally Posted by unSpawn

Please be precise. I said 'lsof -P -w -n -p 24942'!

Sorry, was just abbreviating:

Code:

[root@localhost ~]# lsof -P -w -n -p 24942
[root@localhost ~]#

Quote:

Because the process already finished?..
I already pointed you to 'makewhatis' and I said you should focus on the methods of getting information. So: 'locate makewhatis; file /usr/sbin/makewhatis; grep filename_no_gz /usr/sbin/makewhatis'. If you think "the code of chkrootkit somehow came out in the report" then by all means try: 'locate chkrootkit; file /path/to/chkrootkit; grep filename_no_gz /path/to/chkrootkit', OK?

makewhatis seems to have a completely different process number.

Code:

[root@localhost ~]# grep filename_no_gz /usr/sbin/makewhatis
        filename_no_gz = substr(filename, 0, RSTART - 1);
        filename_no_gz = filename;
      match(filename_no_gz, "/[^/]+$");
[root@localhost ~]# ps aux| grep makewhatis
root     32760  0.0  0.0   4116   620 pts/0    SN+  10:59   0:00 grep makewhatis
[root@localhost ~]#

Code:

[root@localhost ~]# grep filename_no_gz /usr/bin/chkrootkit
[root@localhost ~]#

unSpawn · 09-28-2009, 10:43 AM

Quote:

Originally Posted by qwertyjjj

makewhatis seems to have a completely different process number.

Since you didn't post timestamps for the inital and this command it may point to a different 'makewhatis' run. BTW, you don't have to actually post the 'locate makewhatis; file /usr/sbin/makewhatis; grep filename_no_gz /usr/sbin/makewhatis' output, how did you think I came up with those commands?..

qwertyjjj · 09-29-2009, 02:54 AM

Quote:

Originally Posted by unSpawn

Since you didn't post timestamps for the inital and this command it may point to a different 'makewhatis' run. BTW, you don't have to actually post the 'locate makewhatis; file /usr/sbin/makewhatis; grep filename_no_gz /usr/sbin/makewhatis' output, how did you think I came up with those commands?..

Quote:

makewhatis reads all the manual pages contained in the given sections of manpath or the preformatted pages contained in the given sections of catpath. For each page, it writes a line in the whatis database; each line consists of the name of the page and a short description, separated by a dash. The description is extracted using the content of the NAME section of the manual page.

Not sure I really understand the point of makehwhatis and why it would have a different process ID. The chkrootkit report was run at 00:00 and the manual entries I posted above were done 9hrs later.

unSpawn · 09-30-2009, 09:59 AM

Quote:

Originally Posted by qwertyjjj

Not sure I really understand the point of makehwhatis

See 'apropos makewhatis; man makewhatis'.

Quote:

Originally Posted by qwertyjjj

and why it would have a different process ID.

I'ts not a daemon or something so makewhatis usually runs from a cronjob.