[Bradford] chkrootkit and nasties found
Alice Kærast
kaerast at computergentle.com
Wed Oct 5 22:02:12 UTC 2011
Dotfiles like those are to be found all over a modern Linux distro. The key
is comparing the results to a known clean install. That's not to say they're
all ok just because they're known about, you then have to check what's
inside them is legit.
A better option is running something like Tripwire which will detect changes
to key files based on hash sums and modified times. But you need to know
your system is clean to begin with.
Run your rootkit finder from a live CD, sort out any results (most will be
false positives), go through the hardening procedures for your distro
(Debian has a nice package which will help you - can't remember the name),
then get tripwire running.
Alice
Sent from my Windows Mobile® phone.
------------------------------
From: Dick Thomas <xpd259 at gmail.com>
Sent: 05 October 2011 21:44
To: Bradlug Mailing list <bradford at mailman.lug.org.uk>
Subject: [Bradford] chkrootkit and nasties found
hiya people
I've just installed debian (and stop it my David S about using a real OS
like slackware)
and ran chkrootkit and got this output
Searching for suspicious files and dirs, it may take a while... The
following suspicious files and directories were found:
/usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/pymodules/python2.6/.path
/usr/lib/iceape/.autoreg /usr/lib/iceweasel/.autoreg
/usr/lib/jvm/java-1.5.0-gcj-4.4/.java-gcj-4.4.jinfo
/usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.26/.systemPrefs
/usr/lib/jvm/.java-6-openjdk.jinfo /lib/init/rw/.ramfs
any one got any ideas?
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dick Thomas xpd259 at gmail.com
www.xpd259.co.uk
www.google.com/profiles/xpd259
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/bradford/attachments/20111005/422b990b/attachment.htm>
More information about the Bradford
mailing list