Re: [newbie] chkrootkit question ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 19 Apr 2004 14:33:50 +1000 Stephen Kuhn [EMAIL PROTECTED] wrote: On Mon, 2004-04-19 at 14:28, RickS wrote: hmm.. I will give that a go and see what happens, I cant get to it til tomorrow since its 12:30am here in detroit .. time for some sleep :) 11 mile and Schoenherr - Warren. That's where I did most of my grownin' up. Detroit sucks - yech. Went to high school downtown near City Airport. Small world, ay? stephen kuhn - owner Small world for sure... but as Steven Wright said, I wouldnt want to paint it. So you were an east-sider ... but Oh my, you didnt just get outta state.. you jumped continents.. good for you 8) cause 90 sunny days here a year just isn't enough 8( been nice the last couple days tho.. I'm at merriman and mich ave .. a west-sider .. but Detroit is still more or less the same except the Pistons and Tigers are playin very well 8) Found some info online through google since I didnt know what aliens meant .. yet ..but gonna get the server re-installed and update the kernel, so may be off for a lil while, thx for the help Stephen, Always a pleasure Ricks - Linux 2.4.22-28mdkenterprise i686 gpg --recv-keys --keyserver www.keyserver.net 0x24AABE61 + BOFH excuse #432: Borg nanites have infested the server -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAhD2vJo/ckCSqvmERAlZIAKCea3UzDmqXpx9h1DnQ6Y7YEAkN1QCgwaUB J1BK3lugoxb6UIK4W5U8gd0= =QB6x -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] chkrootkit question ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 19 Apr 2004 14:13:10 +1000 Stephen Kuhn [EMAIL PROTECTED] wrote: On Mon, 2004-04-19 at 14:08, RickS wrote: yes Stephen I can log into it from the server as my normal user.. and from the client pc as a user then su to root .. yes .. so on the client I closed the terminal that was running the ssh and somehow it didnt close the connection .. I plan on reinstalling 9.2 to start from scratch anyway, but I was wondering if this chkrootkit log message was the result of that instance ... since nothing else was in the logs and theres no evidence of being cracked AFAICT ... Ya know, after you've reinstalled, login at least once as root; not an su or sudo, but really - right on the console; then if that message is ever repeated you'll KNOW somethings fishy; have you run chkrootkit with the: chkrootkit aliens test/option to see if anything strange was up there? stephen kuhn - owner == illawarra computer services a kuhn media australia company http://kma.0catch.com hmm.. I will give that a go and see what happens, I cant get to it til tomorrow since its 12:30am here in detroit .. time for some sleep :) - Linux 2.4.22-28mdkenterprise i686 gpg --recv-keys --keyserver www.keyserver.net 0x24AABE61 + BOFH excuse #262: Our POP server was kidnapped by a weasel. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAg1V9Jo/ckCSqvmERAh9TAJ9F4P+2t1d0Duq5eu5PWhInRRNgRQCfSdTG yBqcaiYXgk3UF9Mmdpwd0z8= =CrjO -END PGP SIGNATURE- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] chkrootkit question ...
On Mon, 2004-04-19 at 14:28, RickS wrote: hmm.. I will give that a go and see what happens, I cant get to it til tomorrow since its 12:30am here in detroit .. time for some sleep :) 11 mile and Schoenherr - Warren. That's where I did most of my grownin' up. Detroit sucks - yech. Went to high school downtown near City Airport. Small world, ay? stephen kuhn - owner == illawarra computer services a kuhn media australia company http://kma.0catch.com -- * This message was composed on a 100% Microsoft free computer * We expressly refuse to utilise Microsoft DRM encoded documents -- Pushing 30 is exercise enough. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] chkrootkit
On Thursday August 14 2003 05:22 pm, Chris wrote: On Thursday 14 August 2003 01:11 am, Inhabitant of Zion wrote: Running chkrootkit I get the following when searching for suspicious files and directories. Does this mean these are suspicious or just the ones checked? I think it may well mean they are suspicious. I get one on my system: Searching for suspicious files and dirs, it may take a while... /usr/lib/mozilla-1.3.1/plugins/jre1.3.1_02/bin/.java_wrapper Dunno what to do about it. Delete the files ASAP? Anyone else have thoughts on this? What exactly does chkrootkit check for in these files? I noticed most all the suspect files belonged to closed source proprietary applications. Namely StarOffice and Java. Use of closed source drivers and apps is always a security risk. -- Tom Brinkman Corpus Christi, Texas Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] chkrootkit
On Friday 15 August 2003 08:55 am, Tom Brinkman wrote: On Thursday August 14 2003 05:22 pm, Chris wrote: On Thursday 14 August 2003 01:11 am, Inhabitant of Zion wrote: Running chkrootkit I get the following when searching for suspicious files and directories. Does this mean these are suspicious or just the ones checked? Anyone else have thoughts on this? What exactly does chkrootkit check for in these files? I noticed most all the suspect files belonged to closed source proprietary applications. Namely StarOffice and Java. Use of closed source drivers and apps is always a security risk. So there is probably nothing to worry about however its much better to run open source apps ie..OO than SO. Is there a way to check the files/dirs listed and what would I be looking for? -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 7:44pm up 2 days, 2:25, 4 users, load average: 0.72, 0.39, 0.23 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] chkrootkit
On Wednesday 13 August 2003 09:30 pm, Chris wrote: Running chkrootkit I get the following when searching for suspicious files and directories. Does this mean these are suspicious or just the ones checked? Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadKey/.p ackli st /usr/lib/jre-1.3.1_04/bin/.java_wrapper /usr/lib/office60/share/fonts/truetyp e/.mozilla_font_summary.ndb /usr/lib/staroffice/share/gnome/net/auto pilots/.dir ectory /usr/lib/staroffice/share/gnome/net/.directory /usr/lib/staroffice/share/ gnome/net/.order /usr/lib/staroffice/share/gnome/net/information and setup/.dire ctory /usr/lib/staroffice/share/gnome/net/other/.directory /usr/lib/staroffice/s hare/kde/net/applnk/StarOffice 6.0/auto pilots/.directory /usr/lib/staroffice/sh are/kde/net/applnk/StarOffice 6.0/.directory /usr/lib/staroffice/share/kde/net/a pplnk/StarOffice 6.0/.order /usr/lib/staroffice/share/kde/net/applnk/StarOffice 6.0/information and setup/.directory /usr/lib/staroffice/share/kde/net/applnk/St arOffice 6.0/other/.directory /usr/lib/staroffice/share/samples/english/.nametra nslation.table Hmmm, this is completely different that what mine shows. Did you have and out put similar to below: Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not found Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... Checking `rexedcs'... not found Checking `sniffer'... Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted and then the output you show? It almost looks like there are bad things in your garden, but I am not sure what is going on. Which version of chkrootkit are you using? -- Dennis M. linux user #180842 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] chkrootkit
Running chkrootkit I get the following when searching for suspicious files and directories. Does this mean these are suspicious or just the ones checked? Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadKey/.packli st /usr/lib/jre-1.3.1_04/bin/.java_wrapper /usr/lib/office60/share/fonts/truetyp e/.mozilla_font_summary.ndb /usr/lib/staroffice/share/gnome/net/auto pilots/.dir ectory /usr/lib/staroffice/share/gnome/net/.directory /usr/lib/staroffice/share/ gnome/net/.order /usr/lib/staroffice/share/gnome/net/information and setup/.dire ctory /usr/lib/staroffice/share/gnome/net/other/.directory /usr/lib/staroffice/s hare/kde/net/applnk/StarOffice 6.0/auto pilots/.directory /usr/lib/staroffice/sh are/kde/net/applnk/StarOffice 6.0/.directory /usr/lib/staroffice/share/kde/net/a pplnk/StarOffice 6.0/.order /usr/lib/staroffice/share/kde/net/applnk/StarOffice 6.0/information and setup/.directory /usr/lib/staroffice/share/kde/net/applnk/St arOffice 6.0/other/.directory /usr/lib/staroffice/share/samples/english/.nametra nslation.table -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 9:29pm up 4:09, 4 users, load average: 0.50, 0.30, 0.16 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] chkrootkit
Running chkrootkit I get the following when searching for suspicious files and directories. Does this mean these are suspicious or just the ones checked? I think it may well mean they are suspicious. I get one on my system: Searching for suspicious files and dirs, it may take a while... /usr/lib/mozilla-1.3.1/plugins/jre1.3.1_02/bin/.java_wrapper Dunno what to do about it. Delete the files ASAP? -- John Willby Registered Linux user number 321644 MSN: [EMAIL PROTECTED] ICQ: 92791912 07:06:39 up 1 day, 21:54, 3 users, load average: 0.07, 0.07, 0.02 pgp0.pgp Description: PGP signature
Re: [newbie] chkrootkit
On Wednesday 13 August 2003 10:43 pm, Dennis Myers wrote: On Wednesday 13 August 2003 09:30 pm, Chris wrote: Running chkrootkit I get the following when searching for suspicious files and directories. Does this mean these are suspicious or just the ones checked? Hmmm, this is completely different that what mine shows. Did you have and out put similar to below: Checking `slogin'... not infected Checking `sendmail'... not infected and then the output you show? It almost looks like there are bad things in your garden, but I am not sure what is going on. Which version of chkrootkit are you using? Yes, I have the same output also as you do. The version is 0.37 -- Regards Chris A 100% Microsoft free computer Registered Linux User 283774 http://counter.li.org 6:18am up 12:59, 4 users, load average: 0.11, 0.10, 0.04 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Chkrootkit shows nothing?
On Saturday 11 May 2002 09:19 am, Daniel Stiefel wrote: A few days ago, I got some KWrited docs popping up on my Mandrake 8.1 desktop (Security warning: World Writeable files found followed by a long list of files located on both hardrives). I am a linux newbie and assumed the popups were the product of some kind of monitoring utility that I had inadvertently installed. Although I have a simple workstation setup (except for the extra partitions and triple boot aspect to it) and installed 8.1 with medium security, I went back into the control panel and re-set it to medium security and the Kwrited popups stopped appearing. From the lists of files displayed, I assumed my machine had been compromised and that I would have to partition, reformat, reload the win98, mandrake 8.1 and Redhat 5.1 partition in order to make things right. I downloaded chkrootkit and ran it while booted to the main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed nothing. I'm not sure why that is. I am not familiar with chkrootkit and may have failed to run it so that it searched all of the drives. Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition? Can that be done from 8.1 on the other drive as I attempted? Does it check comprehensively or does it only check the drive/OS that it is booted to? Secondly, is it possible that, despite the KWrited popops that occured on 2 different occasions, my machine is unnaffected? dan This is one of the checks performed by MSec. World writeable refers to the permissions. When you import a file from windows it's permissions have to be reset and possibly the ownership. man chmod man chown http://www.linux-mandrake.com/en/doc/82/en/ref.html/prog-msec.html should get you started. For files that are not executables try 0640. Files from windows are probably 0777. Michael Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Chkrootkit shows nothing?
A few days ago, I got some KWrited docs popping up on my Mandrake 8.1 desktop (Security warning: World Writeable files found followed by a long list of files located on both hardrives). I am a linux newbie and assumed the popups were the product of some kind of monitoring utility that I had inadvertently installed. Although I have a simple workstation setup (except for the extra partitions and triple boot aspect to it) and installed 8.1 with medium security, I went back into the control panel and re-set it to medium security and the Kwrited popups stopped appearing. From the lists of files displayed, I assumed my machine had been compromised and that I would have to partition, reformat, reload the win98, mandrake 8.1 and Redhat 5.1 partition in order to make things right. I downloaded chkrootkit and ran it while booted to the main HD/ Mandrake 8.1 just to see what was up. Surprisingly it showed nothing. I'm not sure why that is. I am not familiar with chkrootkit and may have failed to run it so that it searched all of the drives. Can anyone tell me how to run it to seach RH 5.1 or the win98SE partition? Can that be done from 8.1 on the other drive as I attempted? Does it check comprehensively or does it only check the drive/OS that it is booted to? Secondly, is it possible that, despite the KWrited popops that occured on 2 different occasions, my machine is unnaffected? dan Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com