Re: Houston, I May Have a Problem (chkrootkit Results)
In this case, I would recommend starting from scratch. Save what personal
data you need (avoiding binaries where possible) and reinstall. Afterwards,
set up firewall, IDS (both host-based and network), portscan detector, log
watcher etc.
I wouldn't try to "recover" this installation, I would definitely rebuild
from scratch, doing your build and securing from behind a firewall.
--Brad
========================================================================
Bradley M. Alexander |
IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org
Debian/GNU Linux Developer | storm [at] debian.org
========================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34
========================================================================
Law #5: Weak passwords trump strong security.
On Sat, Aug 28, 2004 at 08:56:19PM -0700, Scarletdown wrote:
> Since I have been having occasional problems getting verious packages
> installed or uninstalled, I decided to do a chkrootkit. The results
> look rather disturbing. Is there anyway short of starting from scratch
> to fix the problems that showed up? Here's the results...
>
> ROOTDIR is `/'
> Checking `amd'... not found
> Checking `basename'... not infected
> Checking `biff'... not found
> Checking `chfn'... not infected
> Checking `chsh'... not infected
> Checking `cron'... not infected
> Checking `date'... not infected
> Checking `du'... not infected
> Checking `dirname'... not infected
> Checking `echo'... not infected
> Checking `egrep'... not infected
> Checking `env'... not infected
> Checking `find'... not infected
> Checking `fingerd'... not found
> Checking `gpm'... not found
> Checking `grep'... not infected
> Checking `hdparm'... not infected
> Checking `su'... not infected
> Checking `ifconfig'... INFECTED
> Checking `inetd'... not infected
> Checking `inetdconf'... not infected
> Checking `identd'... not found
> Checking `init'... not infected
> Checking `killall'... not infected
> Checking `ldsopreload'... not infected
> Checking `login'... not infected
> Checking `ls'... INFECTED
> Checking `lsof'... not infected
> Checking `mail'... not found
> Checking `mingetty'... not found
> Checking `netstat'... INFECTED
> Checking `named'... not found
> Checking `passwd'... not infected
> Checking `pidof'... not infected
> Checking `pop2'... not found
> Checking `pop3'... not found
> Checking `ps'... INFECTED
> Checking `pstree'... INFECTED
> Checking `rpcinfo'... not infected
> Checking `rlogind'... not found
> Checking `rshd'... not found
> Checking `slogin'... not infected
> Checking `sendmail'... not infected
> Checking `sshd'... not infected
> Checking `syslogd'... not infected
> Checking `tar'... not infected
> Checking `tcpd'... not infected
> Checking `tcpdump'... not infected
> Checking `top'... INFECTED
> Checking `telnetd'... not found
> Checking `timed'... not found
> Checking `traceroute'... not infected
> Checking `vdir'... not infected
> Checking `w'... not infected
> Checking `write'... not infected
> Checking `aliens'...
> /dev/ttyop /dev/ttyoa
> Searching for sniffer's logs, it may take a while... nothing found
> Searching for HiDrootkit's default dir... nothing found
> Searching for t0rn's default files and dirs... nothing found
> Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\)
> rootkit installed
> Searching for Lion Worm default files and dirs... nothing found
> Searching for RSHA's default files and dir... nothing found
> Searching for RH-Sharpe's default files... nothing found
> Searching for Ambient's rootkit (ark) default files and dirs... nothing
> found
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/j2se/1.3/bin/.java_wrapper
> /usr/lib/j2se/1.3/jre/bin/.java_wrapper
> /usr/lib/transgaming_cedega/.transgaming
> /usr/lib/transgaming_cedega/.transgaming
> Searching for LPD Worm files and dirs... nothing found
> Searching for Ramen Worm files and dirs... nothing found
> Searching for Maniac files and dirs... nothing found
> Searching for RK17 files and dirs... nothing found
> Searching for Ducoci rootkit... nothing found
> Searching for Adore Worm... nothing found
> Searching for ShitC Worm... nothing found
> Searching for Omega Worm... nothing found
> Searching for Sadmind/IIS Worm... nothing found
> Searching for MonKit... nothing found
> Searching for Showtee... Warning: Possible Showtee Rootkit installed
> Searching for OpticKit... nothing found
> Searching for T.R.K... nothing found
> Searching for Mithra... nothing found
> Searching for OBSD rk v1... nothing found
> Searching for LOC rootkit ... nothing found
> Searching for Romanian rootkit ... /usr/include/file.h
> /usr/include/proc.h
> Searching for Suckit rootkit ... nothing found
> Searching for Volc rootkit ... nothing found
> Searching for Gold2 rootkit ... nothing found
> Searching for TC2 Worm default files and dirs... nothing found
> Searching for Anonoying rootkit default files and dirs... nothing found
> Searching for ZK rootkit default files and dirs... nothing found
> Searching for ShKit rootkit default files and dirs... nothing found
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... You have 2 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... Checking `w55808'... not infected
> Checking `wted'... nothing deleted
> Checking `scalper'... not infected
> Checking `slapper'... not infected
> Checking `z2'... nothing deleted
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: