Chkrootkit 0.46a

Stuff that has yet to be sorted into a category.
Post Reply
Message
Author
GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

Chkrootkit 0.46a

#1 Post by GuestToo »

Chkrootkit 0.46a

Checks for signs of a rootkit in Puppy.
It can also check other Linux distros that you have installed

this installs only to a folder in my-applications
to uninstall, just delete the folder

Note: chkrootkit will tell you some of Puppy's files are infected. For example, it will find the string "bash" in dirname. This is because dirname is actually Busybox, which replaces dirname and replaces bash. If the checksums at the top tell you the file is ok, then it probably is ok, even if chkrootkit tells you it is infected.

http://www.chkrootkit.org/

(tested with Puppy 1.0.8, 2.0.2, and 2.10)

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#2 Post by GuestToo »

updated to work with Puppy 2.10

User avatar
willhunt
Posts: 495
Joined: Wed 05 Oct 2005, 18:19

Some help with the results please

#3 Post by willhunt »

Code: Select all

Checking the md5sum of some of Puppy's executables

Checking md5sum ... not infected
Checking basename ... not infected
Checking crond ... not infected
Checking crontab ... not infected
Checking dirname ... not infected
Checking echo ... not infected
Checking env ... not infected
Checking login ... not infected
Checking passwd ... not infected
Checking traceroute ... not infected
Checking init ... not infected

The above files seem to be OK
Ignore any messages that the above files are infected
Chkrootkit does not like Busybox

chkrootkit version 0.46

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... INFECTED
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... strings; w: No such file or directory
not infected
Checking `write'... strings; write: No such file or directory
ls: write: No such file or directory
not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have     1 process hidden for readdir command
You have     2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... /proc/16423/fd: No such file or directory
eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... unable to open lastlog-file lastlog
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root        15480 pts/0  /bin/sh ./chkrootkit-p
! root        15517 pts/0  /bin/sh ./chkrootkit
! root        16479 pts/0  ./chkutmp
! root        16480 pts/0  ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted

Press the <enter> key to close this window 
so am I infected? if so how do i remove it?

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#4 Post by GuestToo »

that looks normal

at the top, the md5sums of Puppy's executables (md5sum, basename, crond etc etc etc) are all ok (not infected)

they are all just symlinks to Busybox anyway

the rest of the output is from the unmodifed Chkrootkit program ... i could have modified it, but i preferred to leave it alone

it does not like basename, cron, dirname, echo etc etc etc, but if you look at the beginning of the output, they are all ok

the reason it does not like these programs, is because they are all symlinks to Busybox, and Busybox has a lot of strings in the executable that belong to other programs ... for example, Chkrootkit finds the string "bash" in the dirname program, so it says it is infected ... but Busybox replaces bash, so it's not surprising the word bash was found in the executable

so those programs that Chkrootkit thinks are infected are ok, because the md5sums at the top of the output are ok (i used the public domain program md5deep to calculate the md5sums, rather than trust Puppy's md5sum program ... which is just Busybox anyway)

some of the programs it checked were not found ... so they are obviously not infected if they are not there

chkutmp found 4 processes running that are not listed in the utmp log, but the processes all belong to running chkrootkit, so that's ok

the only thing suspicious is "You have 2 process hidden for ps command" ... Puppy's ps does not work with chkrootkit, so i had to include a real ps executable

i suspect you will find that the "hidden" processes are actually Mozilla or Firefox threads ... you can see them in Puppy's ps but not in the real ps program ... i'm not sure why they are flagged as hidden

this is not a really useful test, because it's checking to see if the ps program is hiding any processes ... but Puppy's ps does not work with chkrootkit, so it's really checking the included ps program

anyway, just shut down Mozilla and Firefox and try the test again, to see if the hidden processes disappear too ... if the hidden processes go away, you know it was just Mozilla or Firefox

so the "infected" programs are Busybox, and if the "hidden" processes are Mozilla threads, then there are no real problems

the new bugfixed geany is hidden from Busybox's pidof and killall too, though it's visible in ps ... i don't know why ... Geany 0.8 in Puppy 2.10 beta is visible to Busybox's pidof/killall

User avatar
willhunt
Posts: 495
Joined: Wed 05 Oct 2005, 18:19

Thank You !

#5 Post by willhunt »

Thanks so very much as I am just learning to use linux I rarely understand
the output provided top, kp, ect....
Again thanks so very much for your insight!

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#6 Post by GuestToo »

if you want to see what the processes are that Chkrootkit thinks are hidden, you can click "console" in the bin folder, then type:

for help:
./chkrootkit -h

for a list of the tests that are available:
./chkrootkit -l

to run the lkm test:
./chkrootkit -x lkm

this should show you what the processes are that it doesn't think are right

click the console file in bin, don't just Open An Xterm Here, because it sets up the PATH for chkrootkit

User avatar
peppyy
Posts: 443
Joined: Mon 27 Jun 2005, 23:49
Location: VT USA
Contact:

#7 Post by peppyy »

Just found this while doing a search on the board for syslogd. At first I though my hard drive was dying until I read a bit more on the web and found this thread.

My hard drive light has been on for several hours and syslogd has been running. This shows many files as infected. I am guessing I downloaded something with lime-wire that wasn't what I thought it was. Headed to see if I can still install antivirus or if it is too late.
Puppy Linux...
It just works!

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#8 Post by GuestToo »

your system may be infected with something, but it probably isn't

Puppy uses the busybox executable to replace many of the GNU Utils, like md5sum, basename, crond, crontab, dirname, echo, env, traceroute, init ...

Chkrootkit does not like Busybox ... it looks for suspicious text in the executables, and find strings of text in Busybox that it thinks should not be there

for example, it does not like "bash" in the dirname executable ... but in Puppy, dirname is busybox, and busybox is the ash shell, so busybox has the word bash in it ... Chkrootkit does not like this, so it reports dirname as being infected ... but it is not

i could have edited the Chkrootkit script, to make it compatible with Puppy, but i didn't ... i checked the md5sums of the executables that Chkrootkit doesn't like and ran that first

the thing is, if the first part of the program says that those executables are ok, but Chkrootkit says they are infected, then they are probably ok and you can ignore those messages that those files are infected

if the output of the program looks like this:

Checking the md5sum of some of Puppy's executables

Checking md5sum ... not infected
Checking basename ... not infected
Checking crond ... not infected
Checking crontab ... not infected
Checking dirname ... not infected
Checking echo ... not infected
Checking env ... not infected
Checking login ... not infected
Checking passwd ... not infected
Checking traceroute ... not infected
Checking init ... not infected

then those files should be OK, and you should ignore the INFECTED messages about those files later on

you probably do not have infected files

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#9 Post by GuestToo »

syslogd just prints (error) messages to /var/log/messages

if your drive light is on a lot, maybe you are using a lot of your swap space

do you use tkpppoe (Roaring Penguin)? ... it has some sort of memory allocation problem in Puppy 2.10, and you can't leave it running for any length of time, or it will allocate more and more memory until your machine bogs down

if you have tkpppoe running, just click exit ... your adsl connection will still be connected

or you might have something else allocating memory ... is there anything that shows up if you type top in an xterm/rxvt/console/terminal window? ... look in the RSS column for something using a lot of memory

you can see how much swap space is being used by typing free

User avatar
peppyy
Posts: 443
Joined: Mon 27 Jun 2005, 23:49
Location: VT USA
Contact:

#10 Post by peppyy »

Well that is good news and bad news then. I tried several different ways of installing fprot and it will not run with errors on the updates and the program itself, partly because I cant get it to update. I am going to look for the newer files and replace them manually but many things that were once working do not seem to be there any longer.

I attempted a backup to cd and it reports the disks are not blank although they are new. This seems to coinside with a failed firefox update yesterday which killed the browser and required a fresh instalation. I see today there is a new update waiting to install but have not restarted the browser yet. Although this hard drive is only a month old I an beginning to believe it may be the culprit. There were many errors on my last reboot and I don't believe it will survive the next one so I will be back to live cd in ram next.

Would a failing drive cause syslogd to attempt to write to the drive constantly?
Puppy Linux...
It just works!

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#11 Post by GuestToo »

you might have something screwed up in your system
you might even have some sort of infection
if Chkrootkit says at the top that those particular files are OK, then those particular files probably are OK

syslogd should be writing to /var/log/messages
what is it writing in the messages file? ... you could type
tail /var/log/messages to see the last 10 lines of the messages file

if you have logging enabled in your firewall, it will log blocked packets ... it's possible that your machine is being scanned, and it's filling the message file with log messages from iptables

input/output errors when reading and writing to your hard drive would be logged, i think ... it is possible that your hard drive is failing, it does happen ... what do you get if you type dmesg ?

User avatar
peppyy
Posts: 443
Joined: Mon 27 Jun 2005, 23:49
Location: VT USA
Contact:

#12 Post by peppyy »

I was able to get fprot updated manually and run it. I think I got it. There was a windows program I downloaded for my wife that seems to have been causing the problem. I haven't rebooted yet but once I deleted the program my drive quieted right down. It kept causing this error repetedly. I am guessing it was trying to start itself over and over.

Code: Select all

EXT2-fs error (device ide0(3,1)): ext2_new_block: Free blocks count corrupted for block group 9
I found a "test" file in 8 different places, 3 in the firefox cache and I assume since they are listed as elcar_test_file (exact) that that was all they were. It is really nice to see the HD light off and the processor back to normal.

If nothing else, let this serve as a warning that even though I did not have a major infection you can still run into problems downloading things that are questionable. It makes no difference what it is named if it is not what it claims it is. Funny thing was I was going to install fprot to check the file before I let her install it on her windows machine.

By the way, the only other thing it found was a suspicious pup.
/root/dotpups-downloads/Abby.pup could be an archive bomb

Wish me luck, I am going for the reeboot. :)
Puppy Linux...
It just works!

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#13 Post by GuestToo »

the EICAR Standard Anti-Virus Test File is a harmless text file that is used to test antivirus programs

Xfprot has the file in it, so this package can set off antivirus alarms ... but it is not a virus

i have a dotpup on my download page that will download and install the latest F-Prot program ... i also have an Xfprot 1.15 program for people who prefer gui's to the command line ... or someone made a package of f-Prot and Xfrot
http://puppylinux.org/wikka/DotPups

an archive bomb is a zip file that is very small but that will blow up into a huge file or files

Puppy's zipped pup001 file for NTFS would be an archive bomb

archive bombs are sent through mail servers with antivirus programs that unzip and check each attachment, hoping to crash the antivirus program when it tries to unzip the attachment

i'm not sure what you have on your machine ... a Windows program running in Wine? ... Wine can run viruses as well ad legitimate programs ... or if you are running Linux or Windows ... anyway, if you solved the problem, that's good

GuestToo
Puppy Master
Posts: 4083
Joined: Wed 04 May 2005, 18:11

#14 Post by GuestToo »

by the way:

tinyapps.org

"VirusTotal offers free scanning of uploaded (or emailed) files using over 20 antivirus and antispyware engines"

http://www.virustotal.com/en/indexx.html

http://www.virustotal.com/en/virustotalx.html

i have not tried this, but i have uploaded files to Kaspersky to check.

User avatar
peppyy
Posts: 443
Joined: Mon 27 Jun 2005, 23:49
Location: VT USA
Contact:

#15 Post by peppyy »

The program of course was not what it reported to be. It was named net_spite_and_malace_setup.exe It was supposed to be a card game that my sweetie played online with others that I forgot to backup when I upgraded her computer to xp. I did not suspect the file since many people had it and the size looked about right for the game.

Obviously it was something entirely different. I should have known when there was also some network activity to go along with the constant writes to the HD. Just goes to show you.

BTW, she only runs xp because she can't deal without her pogo games, (an EA Games website) which requiers Internet Exploiter so it can install all the nasties. Maybe someday I can convert her too. You should see that 2.4ghz machine on puppy though, it responds before you click.

I have been looking through things and I don't think anything else was damaged, (Except possibly my ego) so I can continue to mess things up myself :lol: Thanks so much for jumping in so quickly to answer my questions.
Puppy Linux...
It just works!

learnhow2code

#16 Post by learnhow2code »

im sure there are some false positives there. maybe upload one of the "infected" files to the forum, i will download and check it out (really, if its in puppy, it should be safe as an attachment-- at least for me. dont anyone else download it, lol.)

for one, i will use a more recent chkrootkit. and i will look it up online, etc. to see what its status is. init is probably a shell script, so... thats probably ok :)

Post Reply