[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit has me worried!



On Tue, Nov 29, 2005 at 04:34:11AM +0000, kevin bailey wrote:
> hi,
> 
> the following output looks like i've been rooted.

Yes, it doesn't look like a false positive:

> Checking `ls'... INFECTED
> Checking `netstat'... INFECTED
> Checking `ps'... INFECTED
> Checking `top'... INFECTED

Nasty.

> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/zope/lib/python/Products/DCWorkflow/.Xserver-lcd
> /usr/lib/zope/lib/python/Products/ZnolkSQLWizard/.selectColumns.dtml.swo
> /usr/lib/zope/lib/python/Products/ZnolkSQLWizard/.selectColumns.dtml.swp
> /usr/lib/zope/lib/python/SearchIndex/.testinfo

Those might be FP.

> /usr/lib/nmh/include/lib/.sniffer

This one looks nasty.

> Searching for anomalies in shell history files... Warning:
> `//root/.bash_history' file size is zero

Nasty.

> Checking `lkm'... You have   107 process hidden for readdir command
> You have   113 process hidden for ps command

Nasty.

> Checking `sniffer'...   eth0 is PROMISC

You have several processes hidden and what looks like sniffer logs so be
careful. Your passwords might be compromised either through a trojaned ssh
client if you are using ssh or through the sniffer if you are using
clear-text passwords.

Sorry,

Javierthrough the sniffer if you are using clear-text passwords.

Attachment: signature.asc
Description: Digital signature


Reply to: