0. Not the right PWD.
Quote:
Checking `ldsopreload'... can't exec ./strings-static, not tested
|
This means you didn't run CRT from the directory where it resides and that is a bad idea since it still can't find the compiled helper binaries on its own.
1. Suspicious files.
Quote:
Searching for suspect PHP files...
|
New in CRT-0.48, the code looks like this:
Code:
1109 printn "Searching for suspect PHP files... "; fi
1110 files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`"
1111 fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep php 2> /dev/null`"
This piece of code searches the directorynames "/tmp" and "/var/tmp" for filenames that end in ".php". The first line of each result is then grepped for the string "php" and the result of that is shown.
There are a few problems attached to this:
- it is an inflexible approach: the directorynames are hardcoded in the source, what if you configured another directory?,
- it is crude: only filenames that end in ".php" are found: no variations like say ".php3" or include files or PHP files that just don't have the extension,
- it is not doing anything but signal that a file has the case-sensitive string "php".
- its header says "suspect" but that is only true there should not be any PHP scripts in temporary directories (which shouldn't be the case), but a script is only hostile if the PHP code allows hostile actions.
You'll see false postivies if you run CRT while using /tmp as a temporary directory for unpacking and installing PHP-based applications. Not to promote Rootkit Hunter but that's why I added "suspscan" (which is off by default) to be configurable and only look for terms (updates and additions welcome) that signal hostile intentions.
2. Dunno
I think we're missing some lines before
"Searching for anomalies in shell history files... nothing found". Maybe you didn't paste right.
I'd run CRT again in debug mode (cd /wherever/its/installedorcompiled; sh -vx ./chkrootkit --any-args-you-need 2>&1 | tee ./chkrootkit.tee ) and attach that to a post to the crt-users mailing list for Nelson to answer.