Adam Hardy wrote:
Paul Cartwright on 27/08/08 02:09, wrote:
Adam Hardy wrote:
What about chkrootkit? No warnings?
/etc/cron.daily/chkrootkit: The following suspicious files and
directories
were found: /usr/lib/jvm/.java-gcj.jinfo
/usr/lib/jvm/.java-1.5.0-sun.jinfo
/usr/lib/jvm/java-1.5.0-sun-1.5.0.16/.systemPrefs
/usr/lib/icedove/.autoreg
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmdbPerl/.exists
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/HConfig/.exists
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmPerl/.exists
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/Authen/PAM/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/MIME/Base64/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/URI/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/DOM/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/VMware/.exists
/usr/lib/xulrunner-1.9/.autoreg /usr/lib/iceweasel/.autoreg
/usr/lib/epiphany-gecko/2.22/extensions/.pyversion /lib/init/rw/.ramfs
eth0: PACKET SNIFFER(/sbin/dhclient3[2740], /usr/sbin/ntop[4196])
How about running ntop and check what your system is doing - are any
ports
open that shouldn't be?
Hi Paul,
I'm not a professional security expert but I can tell you what I
learnt about linux security. Unless you set up your machine with
rock-solid security from the first minute, unless you minimise the
number of ports you leave open, unless you have strong passwords,
unless you monitor the state of your box regularly, and unless alot of
other things too which you can easily find all over linux and debian
security websites, you will always be paranoid that your machine might
be rooted. In fact, even if you do that stuff, I guess you can still
be paranoid. Go to www.rootkit.com and check out what these fiendish
hackers and crackers are up to - it's quite worrying.
So really from the evidence you've given, no-one can really say
whether or not your machine is rooted. If you've noticed strange
goings-on, you have reason to be worried, so reformat and re-install.
Healthy paranoia is always good but you don't want to be jumping at
shadows everytime you run chkrootkit or something. The 'PACKET SNIFFER'
warning looks normal - you're running both dhclient and ntop which both
behave like packet sniffers (ie. they have to look at every packet that
comes across the interface I think). Assuming you expected to have these
programs running then that should be fine.
Most of the other lines look like it reporting on hidden files which
aren't in areas of the filesystem you'd normally expect them (such as
/home/*, /tmp etc.). However again you just need to check that these
files are expected to be created by the relevant applications (looks
like possibly VMware Perl API, xulrunner and epiphany or some of their
components). But as Adam said above if you're still not comfortable with
the system after checking this then you should wipe and reinstall.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
