chkrootkit warning
Found this in chkrootkit (nothing in rkhunter).
Is this another false positive? Quote:
Quote:
|
That does indeed look suspicious. Did you check that chkrootkit's results were correct? And depending on how paranoid about security you have to be: proceed with caution. A few more details about the machine's role, etc. will help us determine how to proceed.
Regards, Alunduil |
Quote:
Do I just rerun it? I basically only use the machine as a proxy server although I did recently open up the OpenVPN port but have not fully finished installing OpenVPN. I just reran chkrootkit and the same results were not there - all clear. Quote:
|
Are you logged in as root on tty6? If so, then you're probably safe.
Regards, Alunduil |
Quote:
Yes, I was logged in as root when I reran it. Why does chkrootkit throw up these false positives that disappear every so often? It's almost random. |
The virtual consoles (accesses via ctl+f?) are usually associated with a tty. The details of this are in /etc/inittab (unless you're on Ubuntu, they moved that configuration around).
It's the nature of rootkit hunters and what they search for that cause the false positives. I've always been a firm believer in forensic tools combined with knowing your system by watching a statistical tool such as cacti. Regards, Alunduil |
Hi,
TTY is a communication layer between the system and the use, as simplest and best to my knowledge. You can find more information on it on this site which I may say is very technical. Kind regards, Eric |
and another today randomly:
Quote:
|
Which tty do you run X on? Or do you have this as a headless machine? That may cause the spurious tty check fail.
Regards, Alunduil |
Quote:
I'm reading through that TTY site at present but have little idea of what it is really at present. |
X is the GUI (graphical user interface).
Regards, Alunduil |
Quote:
|
Then the question remains as to what processes are running on that tty.
Let's try running the following: Code:
ps -lxf | gawk '$4 == <pid> {print $n}' Regards, Alunduil |
Quote:
Quote:
|
What time does chkrootkit run and what time does cron run? Does cron run the chkrootkit? If so, I'm willing to bet that chkrootkit is finding it's own parent and saying it's a break-in.
Regards, Alunduil |
All times are GMT -5. The time now is 03:55 PM. |