|

Security - Linux

understanding chkrootkit and rkhunter logs

View: New views

5 Messages — Rating Filter: Alert me

	understanding chkrootkit and rkhunter logs by Alessandro Cattelan-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I'm sorry for asking a totally newbie question but I haven't found an answer to this. I'm really curious and concerned about what is reported by the chkrootkit and rkhunter on my Debian Etch home server. Here's what I get when I run them: CHKROOTKIT: Searching for suspicious files and dirs, it may take a while... /usr/lib/xulrunner/.autoreg /lib/init/rw/.ramfs Checking `sniffer'... lo: not promisc and no packet sniffer sockets eth0: PACKET SNIFFER(/sbin/dhclient[2181]) In the system mail I also get this: /etc/cron.daily/chkrootkit: The following suspicious files and directories were found: /usr/lib/xulrunner/.autoreg /lib/init/rw/.ramfs eth0: PACKET SNIFFER(/sbin/dhclient[2136]) RKHUNTER reports this: * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... [ Warning! ] --------------- /etc/.pwd.lock /dev/.static /dev/.udev /dev/.initramfs /dev/.initramfs-tools --------------- Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory) Is this something to be worried about? How can I investigate further into these two issues? Thanks, Ale.
	Re: understanding chkrootkit and rkhunter logs by SZTANYIK Bence Tamas :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Ale, > eth0: PACKET SNIFFER(/sbin/dhclient[2181]) You don't need to worry about this if you're really obtaining your IP address via DHCP on eth0. dhclient really acts as a packet sniffer (it listens in promisc mode) but that's normal. The other files/directories seem to be OK as well (at least I have them on Debian too :)) but you can still google a bit about that if you feel worried. Cheers, Bence
	Re: understanding chkrootkit and rkhunter logs by Juergen Repolusk :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tuesday 08 May 2007 11:56, acattelan@... wrote: > Hi, > I'm sorry for asking a totally newbie question but I haven't found an > answer to this. I'm really curious and concerned about what is reported by > the chkrootkit and rkhunter on my Debian Etch home server. > > Here's what I get when I run them: > > CHKROOTKIT: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/xulrunner/.autoreg > /lib/init/rw/.ramfs > > Checking `sniffer'... lo: not promisc and no packet sniffer sockets > eth0: PACKET SNIFFER(/sbin/dhclient[2181]) > > In the system mail I also get this: > > /etc/cron.daily/chkrootkit: > The following suspicious files and directories were found: > /usr/lib/xulrunner/.autoreg > /lib/init/rw/.ramfs > > eth0: PACKET SNIFFER(/sbin/dhclient[2136]) > > RKHUNTER reports this: > > * Filesystem checks > Checking /dev for suspicious files... [ OK ] > Scanning for hidden files... [ Warning! ] > --------------- > /etc/.pwd.lock /dev/.static > /dev/.udev > /dev/.initramfs > /dev/.initramfs-tools > --------------- > Please inspect: /dev/.static (directory) /dev/.udev (directory) > /dev/.initramfs (directory) > > Is this something to be worried about? How can I investigate further into > these two issues? /dev/.initramfs/ is afaik created by the initramfs-tools during boot. if you want to investigate more search for your initramfs scripts and take a closer look at it. The same is for /dev/.udev Maybe you should take a closer look on the other files and see whats inside of them - but I guess they will be fine too: /etc/.pwd.lock /dev/.static /usr/lib/xulrunner/.autoreg /lib/init/rw/.ramfs Best regards, Juergen > > Thanks, > Ale. -- Jürgen Repolusk +43 650 5661250 http://jvr.at/serendipity/ attachment0 (196 bytes) Download Attachment
	Re: understanding chkrootkit and rkhunter logs by Bugzilla from oren@held.org.il :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message About /lib/init/rw/.ramfs: I also suffer from daily false-positive mails. Seems like it's a bad behavior which should be fixed... http://stereo.lu/chkrootkit-finds-libinitrwramfs-on-debian-etch http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=403863 - Oren > Hi, > I'm sorry for asking a totally newbie question but I haven't found an > answer to this. I'm really curious and concerned about what is reported by > the chkrootkit and rkhunter on my Debian Etch home server. > > Here's what I get when I run them: > > CHKROOTKIT: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/xulrunner/.autoreg > /lib/init/rw/.ramfs > > Checking `sniffer'... lo: not promisc and no packet sniffer sockets > eth0: PACKET SNIFFER(/sbin/dhclient[2181]) > > In the system mail I also get this: > > /etc/cron.daily/chkrootkit: > The following suspicious files and directories were found: > /usr/lib/xulrunner/.autoreg > /lib/init/rw/.ramfs > > eth0: PACKET SNIFFER(/sbin/dhclient[2136]) > > RKHUNTER reports this: > > * Filesystem checks > Checking /dev for suspicious files... [ OK ] > Scanning for hidden files... [ Warning! > ] > --------------- > /etc/.pwd.lock /dev/.static > /dev/.udev > /dev/.initramfs > /dev/.initramfs-tools > --------------- > Please inspect: /dev/.static (directory) /dev/.udev (directory) > /dev/.initramfs (directory) > > Is this something to be worried about? How can I investigate further into > these two issues? > > Thanks, > Ale. >
	Re: understanding chkrootkit and rkhunter logs by Clinton E. Troutman-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tuesday 08 May 2007, acattelan@... wrote: > Hi, > I'm sorry for asking a totally newbie question but I haven't found an > answer to this. I'm really curious and concerned about what is reported > by the chkrootkit and rkhunter on my Debian Etch home server. > > Here's what I get when I run them: > > CHKROOTKIT: > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/xulrunner/.autoreg > /lib/init/rw/.ramfs > > Checking `sniffer'... lo: not promisc and no packet sniffer sockets > eth0: PACKET SNIFFER(/sbin/dhclient[2181]) > > In the system mail I also get this: > > /etc/cron.daily/chkrootkit: > The following suspicious files and directories were found: > /usr/lib/xulrunner/.autoreg > /lib/init/rw/.ramfs > > eth0: PACKET SNIFFER(/sbin/dhclient[2136]) > > RKHUNTER reports this: > > * Filesystem checks > Checking /dev for suspicious files... [ OK ] > Scanning for hidden files... [ Warning! > ] --------------- > /etc/.pwd.lock /dev/.static > /dev/.udev > /dev/.initramfs > /dev/.initramfs-tools > --------------- > Please inspect: /dev/.static (directory) /dev/.udev (directory) > /dev/.initramfs (directory) > > Is this something to be worried about? How can I investigate further into > these two issues? > > Thanks, > Ale. On initial installation of both chkrootkit and rkhunter, I received many of the same type messages. My understanding is that since these softwares are intended for general Linux installation, the software cannot be configured specifically for any installation "out of the box"; some tuning is necessary through adjustment of configuration files. Each warning bears investigation (you will also learn about your system in this investigation). Once you have determined a particular warning is not a threat/problem, adjust your configuration files accordingly. I will also say the database for rkhunter seems to have some issues. In my case, there is a particular daily warning: /usr/bin/wget [ BAD ] that I cannot get rid of no matter what I do... Point is, you may not rid yourself of all warnings; or, if your lucky, you might... HTH, -- Clinton E. Troutman CeTro Independent Computer Consultant for Home, Home Office, and Small Business in Fort Worth, Texas attachment0 (196 bytes) Download Attachment