Re: Interpreting output of tiger scripts (WAS:Re: Is my system compromised)

[Mark Crean <mcrean@snowpetrel.net>]

On Saturday 04 February 2006 05:35, Marc Shapiro wrote:
[snip]

A quick Google around "FUCK: Got signal 11 while manipulating kernel!" throws 
up references to the the SucKIT rootkit. The following is from a CERN 
advisory. Maybe worth checking.

"Here is a simple recipe to detect the SucKIT rootkit, as it has been
 found on CERN machines. It may miss some other types of installations
 but it should produce no false positive. 
 
 Just run:
   # ls -li /sbin/init /sbin/telinit
 
 Here is the output on a normal machine:
   304579 -rwxr-xr-x   1 root    root    26920 Mar 14  2002 /sbin/init*
   304587 lrwxrwxrwx   1 root    root        4 Dec  2 13:18 /sbin/telinit
 -> init*
 
 Here is the output on a compromised machine:
    85133 -rwxr-xr-x   1 root    root    25636 Mar 26 20:03 /sbin/init
    85133 -rwxr-xr-x   1 root    root    25636 Mar 26 20:03 /sbin/telinit
 
 In the second case, telinit is a real file (not a symlink) and its time
 is the time of the rootkit installation. Note also the incorrect
 information: both files have the same inode number but a reference count
 of one, this comes from the kernel module hiding the real information."

Apologies if this is a false alarm. However, what you've found so far doesn't 
look good. You could also try going 
sudo netstat -tupl | grep LISTEN | grep -v unix
and seeing whether anything is listening that you don't recognize.

:)

Fish