Re: Am I hacked?
Michal Sedlak wrote:
But I thing bigger problem is this
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/login
(-rwsr-xr-x)
matched the /bin/login on this machine.
Linux 2.4.17
--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
Linux 2.4.17
It looks to me as though tiger checked only one possible version of each
of these commands. Not too surprising you wouldn't match that particular
one. I think you should run md5sum on those commands and check the output
against -- well, that I'm not too sure about, but someone must have the
official md5sums for sarge files, now that it's been released?
and this
# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
installation
Warning: Possible LKM Trojan installed
chkrootkit has given me this false positive before, I forget why.
Get the detailed output from chkrootkit.
Reply to: