<span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; FONT-WEIGHT:Normal;"><br>Dotfiles like those are to be found all over a modern Linux distro. The key is comparing the results to a known clean install. That's not to say they're all ok just because they're known about, you then have to check what's inside them is legit.<br>
<br>A better option is running something like Tripwire which will detect changes to key files based on hash sums and modified times. But you need to know your system is clean to begin with.<br><br>Run your rootkit finder from a live CD, sort out any results (most will be false positives), go through the hardening procedures for your distro (Debian has a nice package which will help you - can't remember the name), then get tripwire running.<br>
<br>Alice<br><br><br>Sent from my Windows Mobile® phone.<br><br><hr><span style="font-size:10pt;font-family:Tahoma; font-weight:bold">From: </span><span style="font-size:10pt;font-family:Tahoma; font-weight:normal;">Dick Thomas <<a href="mailto:xpd259@gmail.com">xpd259@gmail.com</a>></span><br>
<span style="font-size:10pt;font-family:Tahoma; font-weight:bold">Sent: </span><span style="font-size:10pt;font-family:Tahoma; font-weight:normal;">05 October 2011 21:44</span><br><span style="font-size:10pt;font-family:Tahoma; font-weight:bold">To: </span><span style="font-size:10pt;font-family:Tahoma; font-weight:normal;">Bradlug Mailing list <<a href="mailto:bradford@mailman.lug.org.uk">bradford@mailman.lug.org.uk</a>></span><br>
<span style="font-size:10pt;font-family:Tahoma; font-weight:bold">Subject: </span><span style="font-size:10pt;font-family:Tahoma; font-weight:normal;">[Bradford] chkrootkit and nasties found</span><br><br></span><div><div>
hiya people</div><div><br></div><div>I've just installed debian (and stop it my David S about using a real OS like slackware)</div><div>and ran chkrootkit and got this output</div><div><br></div><div>Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: </div>
<div>/usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/pymodules/python2.6/.path /usr/lib/iceape/.autoreg /usr/lib/iceweasel/.autoreg /usr/lib/jvm/java-1.5.0-gcj-4.4/.java-gcj-4.4.jinfo /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.26/.systemPrefs /usr/lib/jvm/.java-6-openjdk.jinfo /lib/init/rw/.ramfs</div>
<div><br></div></div><div>any one got any ideas?</div><div><br></div><div><br></div>-- <br><div><div style="margin-top:8px;margin-right:8px;margin-bottom:8px;margin-left:8px;font-family:'Times New Roman';font-size:medium;background-repeat:no-repeat no-repeat">
~~~~~~~~~~~~~~~~~~~~~~~~~~~<div>Dick Thomas <a href="mailto:xpd259@gmail.com" target="_blank">xpd259@gmail.com</a></div><div><a href="http://www.xpd259.co.uk/" target="_blank">www.xpd259.co.uk</a></div><div><a href="http://www.google.com/profiles/xpd259" target="_blank">www.google.com/profiles/xpd259</a></div>
<div><br></div></div></div><br>