Paul Cartwright on 27/08/08 02:09, wrote:
Adam Hardy wrote:What about chkrootkit? No warnings?/etc/cron.daily/chkrootkit: The following suspicious files and directories were found: /usr/lib/jvm/.java-gcj.jinfo /usr/lib/jvm/.java-1.5.0-sun.jinfo /usr/lib/jvm/java-1.5.0-sun-1.5.0.16/.systemPrefs /usr/lib/icedove/.autoreg /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmdbPerl/.exists /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/HConfig/.exists /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmPerl/.exists /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/Authen/PAM/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/MIME/Base64/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/URI/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/DOM/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/VMware/.exists /usr/lib/xulrunner-1.9/.autoreg /usr/lib/iceweasel/.autoreg /usr/lib/epiphany-gecko/2.22/extensions/.pyversion /lib/init/rw/.ramfs eth0: PACKET SNIFFER(/sbin/dhclient3[2740], /usr/sbin/ntop[4196])How about running ntop and check what your system is doing - are any ports open that shouldn't be?
Hi Paul,I'm not a professional security expert but I can tell you what I learnt about linux security. Unless you set up your machine with rock-solid security from the first minute, unless you minimise the number of ports you leave open, unless you have strong passwords, unless you monitor the state of your box regularly, and unless alot of other things too which you can easily find all over linux and debian security websites, you will always be paranoid that your machine might be rooted. In fact, even if you do that stuff, I guess you can still be paranoid. Go to www.rootkit.com and check out what these fiendish hackers and crackers are up to - it's quite worrying.
So really from the evidence you've given, no-one can really say whether or not your machine is rooted. If you've noticed strange goings-on, you have reason to be worried, so reformat and re-install.
# ps -ef|grep ntop ntop 4196 1 0 Aug13 ? 00:09:50 /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --access-log-file /var/log/ntop/access.log -i eth0 -p /etc/ntop/protocol.list -O /var/log/ntop :/var/log/ntop# ls -ltr total 0 -rw-rw-rw- 1 ntop root 0 2008-07-30 11:49 access.log paulandcilla:/var/log/ntop#
That logging from ntop showed that the port it wanted was already bound - like your ps output shows, ntop is probably running already. If it is, try surfing to your machine with http://yourmachine.com:3000/ which should bring up the HTML client for ntop showing you all the stats.
Regards Adam