Re: Houston, I May Have a Problem (chkrootkit Results)

To: debian-user@lists.debian.org
Subject: Re: Houston, I May Have a Problem (chkrootkit Results)
From: Scarletdown <gsutton9503@wavecable.com>
Date: Sat, 28 Aug 2004 21:14:46 -0700
Message-id: <[🔎] 20040828211446.265f84e2.gsutton9503@wavecable.com>
In-reply-to: <[🔎] 20040829040800.GA29194@cox.net>
References: <[🔎] 20040828205619.0903236f.gsutton9503@wavecable.com> <[🔎] 20040829040800.GA29194@cox.net>

On Sat, 28 Aug 2004 21:08:00 -0700
"Stefan O'Rear" <stefanor@cox.net> wrote:

> On Sat, Aug 28, 2004 at 08:56:19PM -0700, Scarletdown wrote:
> > Since I have been having occasional problems getting verious packages
> > installed or uninstalled, I decided to do a chkrootkit.  The results
> > look rather disturbing.  Is there anyway short of starting from scratch
> > to fix the problems that showed up?  Here's the results...
> > 
> > ROOTDIR is `/'
> > Checking `ifconfig'... INFECTED
> > Checking `ls'... INFECTED
> > Checking `netstat'... INFECTED
> > Checking `ps'... INFECTED
> > Checking `pstree'... INFECTED
> > Checking `top'... INFECTED
> 
> > Checking `lkm'... You have     2 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
> 1. It has been discussed that chkrootkit is very paranoid.
>    lkm, for instance, could think that threads are hidden processes.
> 
> 2. You may want to:
> 
> apt-get --reinstall install fileutils procps psmisc net-tools
> 
> That will install the Debian versions of the utilities chkrootkit
> complained about.

That failed.  Here's the output from the apt-get attempt...

Selecting previously deselected package fileutils.
(Reading database ... 101932 files and directories currently installed.)
Unpacking fileutils (from .../fileutils_5.2.1-2_all.deb) ...
Preparing to replace net-tools 1.60-8 (using .../net-tools_1.60-10_i386.deb) ...
Unpacking replacement net-tools ...
dpkg: error processing /var/cache/apt/archives/net-tools_1.60-10_i386.deb (--unpack):
 unable to create `./usr/sbin/arp': Permission denied
dpkg-deb: subprocess paste killed by signal (Broken pipe)
Preparing to replace procps 1:3.1.14-1 (using .../procps_1%3a3.2.3-1_i386.deb) ...
Unpacking replacement procps ...
dpkg: error processing /var/cache/apt/archives/procps_1%3a3.2.3-1_i386.deb (--unpack):
 unable to create `./sbin/sysctl': Permission denied
dpkg-deb: subprocess paste killed by signal (Broken pipe)
Setting kernel variables..
Preparing to replace psmisc 21.3-1 (using .../psmisc_21.5-1_i386.deb) ...
Unpacking replacement psmisc ...
dpkg: error processing /var/cache/apt/archives/psmisc_21.5-1_i386.deb (--unpack):
 unable to create `./bin/fuser': Permission denied
dpkg-deb: subprocess paste killed by signal (Broken pipe)
Errors were encountered while processing:
 /var/cache/apt/archives/net-tools_1.60-10_i386.deb
 /var/cache/apt/archives/procps_1%3a3.2.3-1_i386.deb
 /var/cache/apt/archives/psmisc_21.5-1_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

Reply to:

Follow-Ups:
- Re: Houston, I May Have a Problem (chkrootkit Results)
  - From: Stefan O'Rear <stefanor@cox.net>

References:
- Houston, I May Have a Problem (chkrootkit Results)
  - From: Scarletdown <gsutton9503@wavecable.com>
- Re: Houston, I May Have a Problem (chkrootkit Results)
  - From: Stefan O'Rear <stefanor@cox.net>

Prev by Date: Re: Houston, I May Have a Problem (chkrootkit Results)
Next by Date: Re: (no subject)
Previous by thread: Re: Houston, I May Have a Problem (chkrootkit Results)
Next by thread: Re: Houston, I May Have a Problem (chkrootkit Results)
Index(es):
- Date
- Thread