Adam Hardy wrote:
Healthy paranoia is always good but you don't want to be jumping at shadows everytime you run chkrootkit or something. The 'PACKET SNIFFER' warning looks normal - you're running both dhclient and ntop which both behave like packet sniffers (ie. they have to look at every packet that comes across the interface I think). Assuming you expected to have these programs running then that should be fine.Paul Cartwright on 27/08/08 02:09, wrote:Adam Hardy wrote:/etc/cron.daily/chkrootkit: The following suspicious files and directories were found: /usr/lib/jvm/.java-gcj.jinfo /usr/lib/jvm/.java-1.5.0-sun.jinfo /usr/lib/jvm/java-1.5.0-sun-1.5.0.16/.systemPrefs /usr/lib/icedove/.autoreg /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmdbPerl/.exists /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/HConfig/.exists /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmPerl/.exists /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/Authen/PAM/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/MIME/Base64/.packlistWhat about chkrootkit? No warnings?/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/URI/.packlist/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/DOM/.packlist /usr/lib/vmware/perl5/site_perl/5.005/i386-linux/VMware/.exists /usr/lib/xulrunner-1.9/.autoreg /usr/lib/iceweasel/.autoreg /usr/lib/epiphany-gecko/2.22/extensions/.pyversion /lib/init/rw/.ramfs eth0: PACKET SNIFFER(/sbin/dhclient3[2740], /usr/sbin/ntop[4196])How about running ntop and check what your system is doing - are any portsopen that shouldn't be?Hi Paul,I'm not a professional security expert but I can tell you what I learnt about linux security. Unless you set up your machine with rock-solid security from the first minute, unless you minimise the number of ports you leave open, unless you have strong passwords, unless you monitor the state of your box regularly, and unless alot of other things too which you can easily find all over linux and debian security websites, you will always be paranoid that your machine might be rooted. In fact, even if you do that stuff, I guess you can still be paranoid. Go to www.rootkit.com and check out what these fiendish hackers and crackers are up to - it's quite worrying.So really from the evidence you've given, no-one can really say whether or not your machine is rooted. If you've noticed strange goings-on, you have reason to be worried, so reformat and re-install.
Most of the other lines look like it reporting on hidden files which aren't in areas of the filesystem you'd normally expect them (such as /home/*, /tmp etc.). However again you just need to check that these files are expected to be created by the relevant applications (looks like possibly VMware Perl API, xulrunner and epiphany or some of their components). But as Adam said above if you're still not comfortable with the system after checking this then you should wipe and reinstall.