chkrootkit says Stardust /sbin/init INFECTED with Suckit

For discussions about security.
Post Reply
Message
Author
nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#16 Post by nooby »

so which anti rootkit program would show least such false positives?

I tested Rootkit Revealer and it showed 406xxx that is fourhundredsixthousand things that it did not like.

Too much to go through to know if there is something to look deeper into.

what about Gmer is that only a remover and not teller of what it wants to remove before it do it?



Maybe the easiest thing for a newbie is to look for activity on the port 55 or something. Not that I know how to do this but that program is built into puppy from scratch I guess so easy to use of somebody tells how to get it going.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
tasmod
Posts: 1460
Joined: Thu 04 Dec 2008, 13:53
Location: North Lincolnshire. UK
Contact:

#17 Post by tasmod »

nooby,

If you visit this part of the forum be prepared to get paranoid about Puppy and security.

Ease off, it's never as bad as it seems. :wink:
Rob
-
The moment after you press "Post" is the moment you actually see the typso 8)

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#18 Post by Pizzasgood »

If you trust Puppy as provided by Barry to be initially free from malware, you could create md5sums of all the files, store them on a read-only medium, and then verify them from time to time to make sure nothing changed. That would help you notice if any files changed.

It won't help you notice if new things are added without changing existing stuff. For example, scripts placed into /etc/init.d/, /etc/profile.d/, and /root/Startup will be run automatically as Puppy boots (and also whenever you open a terminal, in the case of profile.d). Also, files in /etc/udev/rules.d/ can execute commands when hardware is detected or removed.

If you don't add files to Puppy very often, you could do a remaster after it's set up and start from a fresh pup_save.2fs file. Then you could look at the contents of the pup_save.2fs file from time to time to see if there's anything suspicious in it. (If you frequently install or modify things this won't work because it will quickly fill up with a bunch of stuff that's legit.)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#19 Post by nooby »

I found this interesting text today searching for puppy and rootkits detection.

http://www.prevx.com/blog/139/Tdss-root ... e-net.html

one of the commentators wrote
# Randy on Dec 2 1:22, 2009

I wonder if one could just boot to a Linux boot CD like Puppy and remove the infected dll files.
Can one use pfind to look for known rootkit names or are the encrypted and don't show up?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#20 Post by 8-bit »

dll files are Windows ones and the key word here is infected.
Randomly going through windows and deleting DLL files that are supposedly infected may kill windows.
If one is concerned, do a backup of things you want to keep and reinstall windows.
The only dll files you would find in Puppy would be from an installation of wine.

Post Reply