Re: chkrootkit: suspicious files and dirs -- perl5 et apache2 ?

To: debian-user-french@lists.debian.org
Subject: Re: chkrootkit: suspicious files and dirs -- perl5 et apache2 ?
From: Mezig <nissuacfeneyrol-nospam@free.fr>
Date: Mon, 23 Aug 2004 19:17:14 +0200
Message-id: <[🔎] 412A269A.7030406@free.fr>
In-reply-to: <[🔎] I2W7LC$CA72CA7AB3672D904A4AECB8544C0FE6@tiscali.fr>
References: <[🔎] I2W7LC$CA72CA7AB3672D904A4AECB8544C0FE6@tiscali.fr>

ml-spam-delete@tiscali.fr wrote:

Bonjour,

lors d'un chkrootkit, je trouve ceci (à l'exception des 5/6
process LKM) dans les logs :

Searching for suspicious files and dirs, it may take a while.../usr/lib/perl5/Bundle/.arch-ids

/usr/lib/perl5/Apache/.arch-ids
/usr/lib/perl5/Apache2/.arch-ids
/usr/lib/perl5/Apache2/Apache/.arch-ids
/usr/lib/perl5/Apache2/Apache/PerlSections/.arch-ids
/usr/lib/perl5/Apache2/ModPerl/.arch-ids
/usr/lib/perl5/Apache2/APR/.arch-ids
/usr/lib/perl5/Apache2/Bundle/.arch-ids
/usr/lib/perl5/.arch-ids /usr/lib/electric/.cadrc
/usr/lib/perl5/Bundle/.arch-ids
/usr/lib/perl5/Apache/.arch-ids
/usr/lib/perl5/Apache2/.arch-ids
/usr/lib/perl5/Apache2/Apache/.arch-ids
/usr/lib/perl5/Apache2/Apache/PerlSections/.arch-ids
/usr/lib/perl5/Apache2/ModPerl/.arch-ids
/usr/lib/perl5/Apache2/APR/.arch-ids
/usr/lib/perl5/Apache2/Bundle/.arch-ids /usr/lib/perl5/.arch-ids

auparavant (avant de partir en vacances) je n'avais pas
cette partie de log (apache2 est ouvert constamment). dois
je m'inquiéter de cette indication ou est ce "normal" ? est
ce juste une indication de fichiers ou de directory
sensibles aux attaques? pourquoi cette indication soudaine?
J'ai fermé apache, pour le moment.

--
patrice (+je suis en sarge-)

Sarge, commence à être super... :)!
Sur ma testing, la commande chkrootkit, m'a donné :
(..)
Searching for suspicious files and dirs, it may take a while...

/usr/lib/opengroupware.org/.libFoundation/usr/lib/opengroupware.org/.bash_profile/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/LSWSkyrixFrame.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/LSWSkyrixFrame.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/SkyFavorites.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/SkyFavorites.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/SkyNavigation.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/SkyNavigation.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/SkyDock.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/BaseUI.lso/SkyDock.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoWebMail.lso/LSWImapMails.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoWebMail.lso/LSWImapMailViewer.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoWebMail.lso/SkyImapMailList.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoWebMail.lso/SkyImapMailListHeader.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoMailInfo.lso/LSWImapDockView.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoMailInfo.lso/LSWImapDockView.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/PreferencesUI.lso/SkyDisplayPreferences.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoProjectInfo.lso/SkyDockedProjects.wo/German.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoProjectInfo.lso/SkyDockedProjects.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoSchedulerDock.lso/SkySchedulerDockView.wo/German_OOo.lproj/.cvsignore/usr/lib/opengroupware.org/Library/OpenGroupware.org/OGoSchedulerDock.lso/SkySchedulerDockView.wo/German.lproj/.cvsignore/usr/lib/mozilla/plugins/mozplayerxp/common/.deps/usr/lib/mozilla/plugins/mozplayerxp/plugin_v0.4_gtk_1.2/common/.deps/usr/lib/mozilla/plugins/mozplayerxp/plugin_v0.4_gtk_1.2/simple/.deps/usr/lib/mozilla/plugins/mozplayerxp/plugin_v0.4_gtk_1.2/simple/_xpidlgen/.done/usr/lib/mozilla/plugins/mozplayerxp/pluginv2gtk1.2/samples/common/.deps/usr/lib/mozilla/plugins/mozplayerxp/pluginv2gtk1.2/samples/simple/_xpidlgen/.done/usr/lib/mozilla/plugins/mozplayerxp/simple/.deps/usr/lib/mozilla/plugins/mozplayerxp/simple/_xpidlgen/.done/usr/lib/nessus/plugins/.desc/usr/lib/opengroupware.org/.libFoundation/usr/lib/mozilla/plugins/mozplayerxp/common/.deps/usr/lib/mozilla/plugins/mozplayerxp/plugin_v0.4_gtk_1.2/common/.deps/usr/lib/mozilla/plugins/mozplayerxp/plugin_v0.4_gtk_1.2/simple/.deps/usr/lib/mozilla/plugins/mozplayerxp/pluginv2gtk1.2/samples/common/.deps/usr/lib/mozilla/plugins/mozplayerxp/simple/.deps

Searching for LPD Worm files and dirs... nothing found
(...)
Checking `rexedcs'... not found
Checking `sniffer'... lo: PACKET SNIFFER(/sbin/dhclient[2332])
eth0: PACKET SNIFFER(/sbin/dhclient[2332], /usr/sbin/arpwatch[20449])
Checking `w55808'... not infected
(...)

Donc ce que suggérait la réponse précédente doit être vrai..., il nepeut lire ou reconnaître les répertoires, .xxx :( !

Si j'ai pu aider ?

Cordialement

Mi

Reply to:

References:
- chkrootkit: suspicious files and dirs -- perl5 et apache2 ?
  - From: "ml-spam-delete@tiscali.fr" <ml-spam-delete@tiscali.fr>

Prev by Date: Re: Exim et return-path
Next by Date: Re: commande pour lister les groupes
Previous by thread: Re: chkrootkit: suspicious files and dirs -- perl5 et apache2 ?
Next by thread: Quels paquets (dé)installer, alors :)?<Was: quels paquets installer...+- :)!
Index(es):
- Date
- Thread