Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 31 Oct 2014, 02:19
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Chkrootkit says rootkits detected? [SOLVED]
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
yorkiesnorkie


Joined: 04 Jun 2007
Posts: 505
Location: George's Island

PostPosted: Wed 23 Mar 2011, 15:17    Post_subject:  Chkrootkit says rootkits detected? [SOLVED]  

Hi,

I compiled and ran chkrootkit -0.49 (referred to in the discussion on PET files http://www.chkrootkit.org/) on my Puppy Linux 4.3.1 frugal install and it's coming back and telling me that it is infected. I note that the last release date of this software is 2009, or so it would appear from the website. I'd appreciate your thoughts, anyone?

Yorkie

Here's what I logged in rxvt:

Quote:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED

Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
16 /usr/share
1 /usr/share/vala
1 /usr/share/kbd
2 /usr/share/kbd/keymaps
2 /usr/share/kbd/keymaps/i386
1 /usr/share/cups
2 /usr/share/ayttm
2 /usr/share/ayttm/smileys
1 /usr/share/pixmaps
3 /usr/share/doc
2 /usr/share/icons
14 /usr/share/icons/hicolor
1 /usr/share/icons/hicolor/64x64
2 /usr/share/icons/hicolor/24x24
3 /usr/share/icons/hicolor/22x22
2 /usr/share/icons/hicolor/48x48
2 /usr/share/icons/hicolor/scalable
2 /usr/share/icons/hicolor/32x32
1 /usr/share/icons/hicolor/128x128
3 /usr/share/icons/hicolor/16x16
1 /lib
2 /lib/modules
chkdirs: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... wlan0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Wed Dec 31 20:00:00 1969 and Wed Mar 23 13:33:33 2011
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... Checking `chkutmp'... => possibly 1 deletion(s) detected in /var/run/utmp !
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 8909 tty1 /bin/sh /usr/bin/xwin
! root 8910 tty2 /sbin/getty 38400 tty2
! root 8916 tty3 /sbin/getty 38400 tty3
! root 9216 tty1 /usr/bin/xinit /root/.xinitrc -- -br -nolisten tcp
! root 9217 tty4 X :0 -br -nolisten tcp
! root 9237 tty1 jwm
! root 9289 tty1 /bin/ash /sbin/pup_event_frontend_d
! root 9321 tty1 /usr/local/apps/ROX-Filer/ROX-Filer -p /root/Choices/ROX-Filer/PuppyPin
! root 9322 tty1 [delayedrun] <defunct>
! root 9325 tty1 absvolume -bg #DCDAF5
! root 9370 tty1 xload -nolabel -bg #888888 -fg red -hl white
! root 9372 tty1 freememapplet
! root 9376 tty1 blinky -bg #DCDAD5
! root 9995 tty1 geany /root/my-documents/chkrootkit-0.49/README
! root 10164 tty1 rxvt
! root 10168 pts/0 bash
! root 10423 tty1 /usr/bin/inotifywait -e modify --format %w /tmp/pup_event_sizefreem
! root 14113 pts/0 /bin/sh ./chkrootkit
! root 14114 pts/0 tee rootkitlog.txt
! root 15496 tty1 sleep 2
! root 15519 pts/0 ./chkutmp
! root 15520 pts/0 ps-FULL ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
[/code]
_________________
www.busygamemaster.com

Edited_time_total
Back to top
View user's profile Send_private_message 
DPUP5520

Joined: 16 Feb 2011
Posts: 801

PostPosted: Wed 23 Mar 2011, 15:25    Post_subject:  

Have you tried running it on a clean Live-cd and seeing if it came back with the same results? Could be false positives.
_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send_private_message 
yorkiesnorkie


Joined: 04 Jun 2007
Posts: 505
Location: George's Island

PostPosted: Wed 23 Mar 2011, 15:35    Post_subject:  

I found another post on the forum, which makes me think the application may not be that useful. http://murga-linux.com/puppy/viewtopic.php?t=10056. If it is reporting false positives how do you figure out which is correct?
_________________
www.busygamemaster.com
Back to top
View user's profile Send_private_message 
yorkiesnorkie


Joined: 04 Jun 2007
Posts: 505
Location: George's Island

PostPosted: Wed 23 Mar 2011, 15:39    Post_subject:  

Looking at the other output, the result is very similar. This may not be a very reliable tool for a novice user. Your right, I should try running it on a live CD and see what turns up.

Yorkie

_________________
www.busygamemaster.com
Back to top
View user's profile Send_private_message 
yorkiesnorkie


Joined: 04 Jun 2007
Posts: 505
Location: George's Island

PostPosted: Wed 23 Mar 2011, 16:00    Post_subject:  

Yeah, I just booted from the live cd, and I ran the same check with it and guess what, the same result. Its usefulness as a tool is debatable.

Quote:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED

Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
1 /usr/share
1 /usr/share/icons
1 /lib
1 /lib/modules
chkdirs: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Thu Jan 1 08:00:00 1970 and Wed Mar 23 16:51:20 2011
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... Checking `chkutmp'... => possibly 1 deletion(s) detected in /var/run/utmp !
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 8888 tty1 /bin/sh /usr/bin/xwin
! root 8889 tty2 /sbin/getty 38400 tty2
! root 8894 tty3 /sbin/getty 38400 tty3
! root 9118 tty1 /usr/bin/xinit /root/.xinitrc -- -br -nolisten tcp
! root 9119 tty4 X :0 -br -nolisten tcp
! root 9121 tty1 jwm
! root 9144 tty1 /bin/ash /sbin/pup_event_frontend_d
! root 9401 tty1 /usr/local/apps/ROX-Filer/ROX-Filer -p /root/Choices/ROX-Filer/PuppyPin
! root 9404 tty1 [delayedrun] <defunct>
! root 9407 tty1 absvolume -bg #DCDAF5
! root 9519 tty1 xload -nolabel -bg #888888 -fg red -hl white
! root 9521 tty1 freememapplet
! root 9525 tty1 blinky -bg #DCDAD5
! root 10079 tty1 /usr/bin/inotifywait -e modify --format %w /tmp/pup_event_sizefreem
! root 10141 tty1 geany /mnt/sda5/chkrootkit-0.49/README
! root 10506 tty1 rxvt
! root 10513 pts/0 bash
! root 10848 pts/0 /bin/sh ./chkrootkit
! root 10849 pts/0 tee frugallog.txt
! root 12022 tty1 sleep 2
! root 12076 pts/0 ./chkutmp
! root 12077 pts/0 ps-FULL ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

_________________
www.busygamemaster.com
Back to top
View user's profile Send_private_message 
DPUP5520

Joined: 16 Feb 2011
Posts: 801

PostPosted: Wed 23 Mar 2011, 16:01    Post_subject:  

Alot of the times it is not that a rootkit/antivirus/spyware checker is not useful just that a lot of times programs/sources use code that is similar to that which would have been thought to be malicious especially if the program you are using to check for infected file is out of date and hasn't been updated to ignore/be able to differentiate between the two.
_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send_private_message 
yorkiesnorkie


Joined: 04 Jun 2007
Posts: 505
Location: George's Island

PostPosted: Thu 24 Mar 2011, 06:15    Post_subject:  

This tool was suggested to me by someone here at the forum. I don't think we should be complacent about security but I think though that this particular tool is not a good one and should not be recommended to anyone for use with Puppy on the basis that it detects this many false positives. The last release date was 2009.
_________________
www.busygamemaster.com
Back to top
View user's profile Send_private_message 
amigo

Joined: 02 Apr 2007
Posts: 2263

PostPosted: Thu 24 Mar 2011, 13:40    Post_subject:  

Most of those are links to busybox utilities which chkrootkit gives the evil eye on, but I'm not sure what the lib/modules check might be complaining about.
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0937s ][ Queries: 11 (0.0057s) ][ GZIP on ]