Hi Nelson,
What kind of extra details would be useful to you?
Is there any debugging information you would like Juergen to turn on?
Thanks,
Francois
On 2008-05-05 at 14:35:50, Nelson Murilo wrote:
> Hi Francois,
>
> I never see that error before, do you have more details?
>
> And about your question, no there aren't. My project is very small to it.
> But I reported problems are seriously checked and fixed if needed.
>
> Thanks a lot for your interest and continuous help,
>
> ./nelson -murilo
>
> - original message -
> Subject: Fwd: chkrootkit report all files as suspicious, without
> whitespace
> From: Francois Marier <[EMAIL PROTECTED]>
> Date: 04/05/2008 9:13 AM
>
> Hi Nelson,
>
> Juergen reported the following problem with the latest version of
> chkrootkit.
>
> Is there anything that could be done to help track the problem down?
>
> Cheers,
> Francois
>
> ----- Forwarded message from Juergen Kosel <[EMAIL PROTECTED]> -----
>
> Package: chkrootkit
> Version: 0.48-2
> Severity: important
>
> Hello,
>
> after upgrading chkrootkit to 0.48-2 it generates now the following output:
>
> The following suspicious files and directories were found:
> /usr/lib/jvm/.java-gcj.jinfo /usr/lib/icedove/.autoreg
> /usr/lib/iceweasel/.autoreg /usr/lib/xulrunner/.autoreg
> /usr/lib/electric/.cadrc /lib/init/rw/.ramfs
>
>
> //bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/bin/ln/bin/loadkeys/bin/login/bin/ls/bin/lsmod/bin/lsmod.modutils/bin/lspci/bin/mkdir/bin/mknod/bin/mktemp/bin/modeline2fb/bin/more/bin/mount/bin/mountpoint/bin/mt/bin/mt-gnu/bin/mv/bin/nc/bin/netcat/bin/netstat/bin/pdksh/bin/pidof/bin/ping/bin/ping6/bin/ps/bin/pwd/bin/rbash/bin/readlink/bin/rm/bin/rmdir/bin/run-parts/bin/rzsh/bin/sed/bin/setpci/bin/setserial/bin/sh/bin/sleep/bin/stty/bin/su/bin/sync/bin/tar/bin/tcsh/bin/tempfile/bin/touch/bin/true/bin/umount/bin/uname/bin/uncompress/bi
> n/vdir/bin/which/bin/zcat/bin/zcmp/bin/zdiff/bin/zegrep/bin/zfgrep/bin/zforce/bin/zgrep/bin/zless/bin/zmore/bin/znew/bin/zsh/bin/zsh4/boot/boot/config-2.6.18-5-amd64/boot/grub/boot/grub/default/boot/grub/device.map/boot/grub/device.map~/boot/grub/e2fs_stage1_5/boot/grub/fat_stage1_5/boot/grub/jfs_stage1_5/boot/grub/menu.lst/boot/grub/menu.lst~/boot/grub/minix_stage1_5/boot/grub/reiserfs_stage1_5/boot/grub/splashimages/boot/grub/splashimages/bike_gua.xpm.gz/boot/grub/splashimages/biosplash.xpm.gz/boot/grub/splashimages/CRW_7206_14.xpm.gz/boot/grub/splashimages/debsplash.xpm.gz/boot/grub/splashimages/fiesta.xpm.gz/boot/grub/splashimages/gentleblue.xpm.gz/boot/grub/splashimages/guitar.xpm.gz/boot/grub/stage1/boot/grub/stage2/boot/grub/xfs_stage1_5/boot/initrd.img/boot/initrd.img-2.6.17-2-amd64.bak/boot/initrd.img-2.6.18-5-amd64/boot/initrd.img-2.6.18-5-amd64.bak/boot/memtest86+.bin/boot/System.map-2.6.18-5-amd64/boot/vmlinuz/boot/vmlinuz-2.6.18-5-amd64
> [SNIP]
>
> All files are now listed as suspicous.
> And to make it even more worse they are printed without any whitespace.
> This results in an e-mail from the cronjob which has one line and 27MB size.
> (Which makes the mail viewer or editor very busy.)
>
>
> when called
> bash -x /usr/sbin/chkrootkit > /tmp/chkroot.out 2>&1
>
> it delivers the following (excerp):
>
> + printn 'Searching for ENYELKM rootkit default files... '
> ++ /bin/echo 'a\c'
> ++ /bin/egrep c
> + /bin/echo -n 'Searching for ENYELKM rootkit default files... '
> Searching for ENYELKM rootkit default files... + '[' -d
> /etc/.enyelkmOCULTAR.ko ']'
> + '[' '' '!=' t ']'
> + echo 'nothing found'
> nothing found
> + '[' '' '!=' t ']'
> + printn 'Searching for common ssh-scanners default files... '
> ++ /bin/echo 'a\c'
> ++ /bin/egrep c
> + /bin/echo -n 'Searching for common ssh-scanners default files... '
> Searching for common ssh-scanners default files... ++ /usr/bin/find /tmp
> /var/tmp -name vuln.txt -o -name ssh-scan -o -name pscan2
> + files=
> + '[' '' = '' ']'
> + '[' '' '!=' t ']'
> + echo 'nothing found'
> nothing found
> + '[' '' '!=' t ']'
> + printn 'Searching for suspect PHP files... '
> ++ /bin/echo 'a\c'
> ++ /bin/egrep c
> + /bin/echo -n 'Searching for suspect PHP files... '
> Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name
> '*.php'
> + files=
> ++ /usr/bin/find /tmp /var/tmp -type f -exec head -1 '{}' ';'
> ++ grep php
> +
> fileshead='//bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/
> bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/
> bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/
> bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/
> bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/
> fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/
> hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/ [SNIP]
>
>
>
> Greetings
> Juergen
>
> -- System Information:
> Debian Release: lenny/sid
> APT prefers testing
> APT policy: (500, 'testing'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
> Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages chkrootkit depends on:
> ii binutils 2.18.1~cvs20080103-4+b1 The GNU assembler, linker
> and bina
> ii debconf [debconf 1.5.21 Debian configuration
> management sy
> ii libc6 2.7-10 GNU C Library: Shared libraries
> ii net-tools 1.60-19 The NET-3 networking toolkit
> ii procps 1:3.2.7-8 /proc file system utilities
>
> chkrootkit recommends no packages.
>
> -- debconf information:
> * chkrootkit/run_daily: true
> * chkrootkit/run_daily_opts: -q -n
> * chkrootkit/diff_mode: true
>
> ----- End forwarded message -----
>
> ----- End forwarded message -----
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
