Focus on Linux
understanding chkrootkit and rkhunter logs May 08 2007 09:56AM
acattelan gmail com (4 replies)
Re: understanding chkrootkit and rkhunter logs May 09 2007 04:17PM
Clinton E. Troutman (clint troutman sbcglobal net)
Re: understanding chkrootkit and rkhunter logs May 09 2007 07:19AM
Oren Held (oren held org il)
Re: understanding chkrootkit and rkhunter logs May 09 2007 06:57AM
Juergen Repolusk (juergen repolusk inso tuwien ac at)
On Tuesday 08 May 2007 11:56, acattelan (at) gmail (dot) com [email concealed] wrote:
> Hi,
> I'm sorry for asking a totally newbie question but I haven't found an
> answer to this. I'm really curious and concerned about what is reported by
> the chkrootkit and rkhunter on my Debian Etch home server.
>
> Here's what I get when I run them:
>
> CHKROOTKIT:
>
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/xulrunner/.autoreg
> /lib/init/rw/.ramfs
>
> Checking `sniffer'... lo: not promisc and no packet sniffer sockets
> eth0: PACKET SNIFFER(/sbin/dhclient[2181])
>
> In the system mail I also get this:
>
> /etc/cron.daily/chkrootkit:
> The following suspicious files and directories were found:
> /usr/lib/xulrunner/.autoreg
> /lib/init/rw/.ramfs
>
> eth0: PACKET SNIFFER(/sbin/dhclient[2136])
>
> RKHUNTER reports this:
>
> * Filesystem checks
> Checking /dev for suspicious files... [ OK ]
> Scanning for hidden files... [ Warning! ]
> ---------------
> /etc/.pwd.lock /dev/.static
> /dev/.udev
> /dev/.initramfs
> /dev/.initramfs-tools
> ---------------
> Please inspect: /dev/.static (directory) /dev/.udev (directory)
> /dev/.initramfs (directory)
>
> Is this something to be worried about? How can I investigate further into
> these two issues?

/dev/.initramfs/ is afaik created by the initramfs-tools during boot. if you
want to investigate more search for your initramfs scripts and take a closer
look at it. The same is for /dev/.udev

Maybe you should take a closer look on the other files and see whats inside of
them - but I guess they will be fine too:

/etc/.pwd.lock /dev/.static
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Best regards,
Juergen

>
> Thanks,
> Ale.

--

Jürgen Repolusk
+43 650 5661250
http://jvr.at/serendipity/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGQXDkf/pZaIYoOrsRAvUbAJ9isonTZ5PGgGszl1PqcnDEOikaqgCdEmeL
NLsNY4fVQgvZFxGYQH2TJBc=
=FdRc
-----END PGP SIGNATURE-----

[ reply ]
Re: understanding chkrootkit and rkhunter logs May 08 2007 05:12PM
SZTANYIK Bence Tamas (bence infsec hu)


 

Privacy Statement
Copyright 2010, SecurityFocus