Re: [OT] rkhunter und chrootkit Meldungen
Jens Schüßler, 12/23/06 02:29:
> * Peter Jordan <usernetwork@gmx.info> wrote:
>> Hallo,
>>
>> ich habe auf meinem Desktoprechner mal rkhunter und chrootkit laufen
>> lassen und bekomme folgende Meldungen:
>>
>> rkhunter:
>>
>> Scanning for hidden files... [ Warning! ]
>> -----------------------------------------------------------------
>>
>> Found warnings:
>> [14:41:42] WARNING, found: /etc/.java (directory) /dev/.udev
>> (directory) /dev/.static (directory)
>>
>> chrootkit:
>>
>> The following suspicious files and directories were found:
>> /usr/lib/jvm/.java-gcj.jinfo
>> /usr/lib/firefox/.autoreg
>> /lib/init/rw/.ramfs
>> /lib/modules/fglrx/build_mod/2.6.x/.tmp_versions
>> /lib/modules/fglrx/build_mod/2.6.x/.firegl_public.o.cmd
>> /lib/modules/fglrx/build_mod/2.6.x/.fglrx.o.cmd
>> /lib/modules/fglrx/build_mod/2.6.x/.fglrx.mod.o.cmd
>> /lib/modules/fglrx/build_mod/2.6.x/.fglrx.ko.cmd
>> /lib/modules/fglrx/build_mod/2.6.x/.tmp_versions
>
> Das sind False-Positives, siehe
>
> ,----[ /usr/share/doc/chkrootkit/README.FALSE-POSITIVES ]-
> | the hidden files issue continues to crop up now and again. basically,
> | if chkrootkit sees a hidden file (a file that begins with .) under
> | /usr/lib, it flags it as suspicious. there are various packages that
> | contain these hidden files and they are innocuous. however, it appears
> | that arbitrary hidden files under /usr/lib is a sign of a rootkit, so,
> | again, it's the safe vs sorry argument
> `----
>
>> /usr/lib/security/
>
> Auch nix Böses:
> $# dlocate /usr/lib/security/
> libgcj-common: /usr/lib/security/classpath.security
>
>> Warning: `' is linked to another file
>
> Das sagt mir erst mal nichts, führe chkrootkit mal von Hand aus und
> schau nach, bei welchem Test er diese Meldung bringt.
>
erstmal vielen Dank.
Diese meldung wird bei einem manuellen Aufruf nicht angezeigt.
Peter
Reply to: