--- "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
> To all, thanks.
>
> Running "chkrootkit.48" found a crontab entry for "nobody" (
> possible worm ).
>
> crontab - l nobody doesn't exist. Is it a problem?
>
> Also, in the building of "chkrootkit-0.48", make sense didn't work, but
> "make" made all the binaries. Could I have done something wrong?. I
> followed Jim's outline for chkrootkit installation, and followed all the
> README's.
>
> john
Assuming that the `make sense` command was run from the directory with the
Makefile, I'm a little surprised (and a bit suspicious) that it didn't work.
It could be a difference of the distributions.
It is not necessary to compile the C code as root. In fact, I wouldn't do it.
It is necessary to run the chkrootkit script with root privileges for full
access to the system.
The user "nobody" is usually associated with an Apache installation from
source. Some distributions may also use it. The Red Hat RPM style uses a user
named "apache" for this. You will probably find a user named "nobody" on your
system:
$ grep nobody /etc/passwd
nobody:x:99:99:Nobody:/:/sbin/nologin
Next you need to figure out if there are really cron jobs assigned to this
user. You can look at this as root with
# ls -la /var/spool/cron
to show all of the scheduled cron jobs by user.
Other places for cron jobs are in the /etc/crontab file and the directories
which may exist on your system such as:
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly
/etc/cron.monthly
Each of these directories contains scripts which are run according to the
schedule defined in /etc/crontab. My copy looks like:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
_____
plus some custom lines which aren't needed for this discussion. The five
underscores ("_____") are not part of the file, of course.
James Keeline
(not Jim)
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie
