This morning's cron run of aide and chkrootkit turned up some things I don't understand. Here's a sample: AIDE produced no errors. Output of the daily AIDE run (165 lines): File /lib/modules/2.6.16-lapdog/kernel/sound/core/snd-pcm.ko in databases +has different attributes, 16317,4029 <snip> Something is definitely wrong: root@/lib/modules/2.6.16-lapdog/kernel/sound/core# ls -l snd.ko ?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 snd.ko (On another laptop, the corrresponding file looks like this: # ls -l snd.ko -rw-r--r-- 1 root root 56329 2006-10-01 12:07 snd.ko) Chkrootkit also reports some nearby strangenesses: /etc/cron.daily/chkrootkit: /usr/bin/find: /lib/modules/2.6.16-lapdog/kernel/sound/pci: Not a directory <snip> The contents of that directory (and others) are listed as having been removed, e.g. removed:/lib/modules/2.6.16-lapdog/kernel/sound/pci/snd-intel8x0.ko The new "Not a directory" pci looks suspicious in the same way: root@/lib/modules/2.6.16-lapdog/kernel/sound# ls -l pci ?rwsrwsrwt 65535 4294967295 4294967295 4294967295 1969-12-31 18:59 pci All such new "weird" files resist being deleted by rm -f, and chmod -t won't remove the sticky bit, with this explanation: chmod: changing permissions of `snd.ko': Operation not permitted Lastly, rm -d on the "Not a directory" returns a curious message: root@/lib/modules/2.6.16-lapdog/kernel/sound# rm -d pci rm: remove write-protected weird file `pci'? yes rm: cannot remove `pci':Operation not permitted I don't know whether it's related, but chkrootkit also finds a new suspicious file: /etc/cron.daily/chkrootkit: The following suspicious files and directories were found: <snip> /lib/init/rw/.ramfs I'm at a loss as to what to make of all this. Ideas/directions gratefully accepted. -- JohnRChamplin@columbus.rr.com ==================================================== PGP key 1024D/99421A63 2005-01-05 EE51 79E9 F244 D734 A012 1CEC 7813 9FE9 9942 1A63 gpg --keyserver subkeys.pgp.net --recv-keys 99421A63
Attachment:
signature.asc
Description: Digital signature