Re: chkrootkit: Warning: Possible Showtee Rootkit installed

To: debian-user@lists.debian.org
Subject: Re: chkrootkit: Warning: Possible Showtee Rootkit installed
From: Mathias Brodala <info@noctus.net>
Date: Wed, 13 Sep 2006 19:12:48 +0200
Message-id: <[🔎] 45083C10.3040007@noctus.net>
In-reply-to: <[🔎] 45082F6E.2080901@bragatel.pt>
References: <[🔎] 45082F6E.2080901@bragatel.pt>

Hello.

> #chkrootkit -q
> 
> Warning: Possible Showtee Rootkit installed
> 
> 
> True or False or some package(false positive)!?

I guess it’s the latter. You can see which files are being checked for this test
in the chkrootkit script:

>    if [ -d ${ROOTDIR}usr/lib/.egcs ] || [ -f ${ROOTDIR}usr/lib/libfl.so ] || \
>       [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \
>       [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \
>       [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \
>       [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \
>       [ -f ${ROOTDIR}usr/include/chk.h ]; then
>          echo "Warning: Possible Showtee Rootkit installed"

The /usr/lib/libfl.so comes from the flex package on my system, so if it exists
it doesn’t necessarily mean that there’s something wrong. (None of the other
files exist here.)


Regards, Mathias

-- 
debian/rules

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: chkrootkit: Warning: Possible Showtee Rootkit installed
  - From: Kevin Mark <kevin.mark@verizon.net>

References:
- chkrootkit: Warning: Possible Showtee Rootkit installed
  - From: ns007532 <ns007532@bragatel.pt>

Prev by Date: ndiswrapper for Debian using 2.4 kernels
Next by Date: Recovering deleted vfat file?
Previous by thread: chkrootkit: Warning: Possible Showtee Rootkit installed
Next by thread: Re: chkrootkit: Warning: Possible Showtee Rootkit installed
Index(es):
- Date
- Thread