Re: chkrootkit output questions
Quoting Hanasaki JiJi (hanasaki@hanaden.com):
> 1. what is a rootkit?
A set of software installed by an intruder to conceal his presence. It
typically consists of replacements for system utilities (ps, netstat,
etc.) that could otherwise reveal his activities, altered ("trojaned")
to prevent that disclosure. "chkrootkit" attempts to find small traces
accidentally left behind by installation of common rootkits. It also
checks for known "worms" (automated attack tools against old, vulnerable
versions of lpd, bind8, etc.) and trojaned loadable kernel modules.
> 2. anything "normal" that might result in a wted warning that something
> was deleted? output is:
> Checking `wted'... 1 deletion(s) between Sat Apr 5 10:33:11 2003 and
> Sat Apr 5 10:53:43 2003
Let's see: It looks like the "wted" check looks for suspicious
omissions or zeroed-out entries from /var/log/wtmp .`
I really don't know. You might want to take a close look at that wtmp
entry, and see if anything occurs to you about it.
> 3. Checking bindshell reports "warning got bogus unix line. not
> infected" what does this mean
That's not coming from chkrootkit, but rather netstat. If I understand
the C code correctly, it means that some Unix domain socket changed
while being viewed, and doesn't indicate a problem, really.
--
Cheers, "Transported to a surreal landscape, a young girl kills the first
Rick Moen woman she meets, and then teams up with three complete strangers
rick@linuxmafia.com to kill again." -- Rick Polito's That TV Guy column,
describing the movie _The Wizard of Oz_
Reply to: