rootkits

Dazed_75 lthielster at gmail.com
Fri Jul 29 08:48:03 MST 2011 

One of the blogs I read just had an article about finding rootkits in
Linux.  While not worried about it, I thought it would be fun to check it
out.  They talked about 3 commands; lsattr, chkrootkit, and rkhunter.

lsattr didn't find anything of interest the few directories I tried it on
except that this line showed up for some files (I think they were all
links):

>   lsattr: Operation not supported While reading flags on /bin/bzegrep
>

chkrootkit found

> ROOTDIR is `/'
> Searching for suspicious files and dirs, it may take a while... The
> following suspicious files and directories were found:
> /usr/lib/xulrunner-1.9.2.18/.autoreg
> /usr/lib/firefox-3.6.18/.autoreg
> /usr/lib/pymodules/python2.6/.path
> /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit
> /usr/lib/jvm/.java-6-openjdk.jinfo
> /usr/lib/thunderbird-3.1.11/.autoreg
>

those are mainly empty files and the ones that were not seemed reasonable to
an uneducated eye.  Problem is that they don't say what it is that is
considered suspicious

rkhunter -c found

> [08:27:47]   Checking /dev for suspicious file types         [ Warning ]
> [08:27:47] Warning: Suspicious file types found in /dev:
> [08:27:47]          /dev/shm/pulse-shm-3633543672: data
> [08:27:47]          /dev/shm/pulse-shm-2330444361: data
> [08:27:47]          /dev/shm/pulse-shm-2759599877: data
> [08:27:48]          /dev/shm/pulse-shm-2688255106: data
> [08:27:48]          /dev/shm/pulse-shm-2964324177: data
> [08:27:48]          /dev/shm/pulse-shm-878858236: data
> [08:27:48]   Checking for hidden files and directories       [ Warning ]
> [08:27:48] Warning: Hidden directory found: /etc/.java
> [08:27:48] Warning: Hidden directory found: /dev/.udev
> [08:27:48] Warning: Hidden directory found: /dev/.initramfs
>

Similar comment.  It is difficult to know what to check for.  Again I am not
worried, just curious.
-- 
Dazed_75 a.k.a. Larry

The spirit of resistance to government is so valuable on certain occasions,
that I wish it always to be kept alive.
  - Thomas Jefferson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110729/9efa0d0f/attachment.html>

More information about the PLUG-discuss mailing list