rootkits

Dazed_75 lthielster at gmail.com
Sat Jul 30 07:57:25 MST 2011 

Thanks Joseph,

Even where I had some idea what most of those things were you added to what
I knew about them.  For example, it was obvious some of those files were
Pulse Audio stuff, but I had no idea the /dev/shm/ files were interfaces to
shared memory.

On the other hand, I still wonder why the software considered those
particular files to be suspicious.  After all, there are LOTS of hidden
files in the system, but the software only noted those few.  Perhaps they
have been known to be used in the past?  I am still not concerned, just
curious.  Just not curious enough to get the source code and look through
it.  Too much like work even if I could figure it out. :)

Anyway, Thanks again.

On Fri, Jul 29, 2011 at 10:50 PM, Joseph Sinclair <plug-discussion at stcaz.net
> wrote:

> What you see below is false-positives.
> The files in /usr/lib are normal files used for things like initialization
> control (pymodules) and JDK selection (jvm).
> The files in /dev/shm are pulsaudio temporary device files, and like
> everything in /dev/shm will disappear on a reboot (/dev/shm is a filesystem
> interface to shared memory).
> The hidden directories are likewise normal (java, udev, initramfs) elements
> of the system.
>
> That's why these things are warnings; they *might* be a problem, but the
> software has no way to be sure (although it really should have exceptions
> built-in for things like pulseaudio, udev, and initramfs stuff).
>
> Then again, it's fundamentally impossible to know if a system is clean from
> within that system (since a rootkit could just intercept any call that would
> expose it's presence and return a false result).
> Usually these tools should be run against a chrooted/mounted filesystem
> from a known-good rescue CD.
>
> On 07/29/2011 08:48 AM, Dazed_75 wrote:
> > One of the blogs I read just had an article about finding rootkits in
> > Linux.  While not worried about it, I thought it would be fun to check it
> > out.  They talked about 3 commands; lsattr, chkrootkit, and rkhunter.
> >
> > lsattr didn't find anything of interest the few directories I tried it on
> > except that this line showed up for some files (I think they were all
> > links):
> >
> >>   lsattr: Operation not supported While reading flags on /bin/bzegrep
> >>
> >
> > chkrootkit found
> >
> >> ROOTDIR is `/'
> >> Searching for suspicious files and dirs, it may take a while... The
> >> following suspicious files and directories were found:
> >> /usr/lib/xulrunner-1.9.2.18/.autoreg
> >> /usr/lib/firefox-3.6.18/.autoreg
> >> /usr/lib/pymodules/python2.6/.path
> >> /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit
> >> /usr/lib/jvm/.java-6-openjdk.jinfo
> >> /usr/lib/thunderbird-3.1.11/.autoreg
> >>
> >
> > those are mainly empty files and the ones that were not seemed reasonable
> to
> > an uneducated eye.  Problem is that they don't say what it is that is
> > considered suspicious
> >
> > rkhunter -c found
> >
> >> [08:27:47]   Checking /dev for suspicious file types         [ Warning ]
> >> [08:27:47] Warning: Suspicious file types found in /dev:
> >> [08:27:47]          /dev/shm/pulse-shm-3633543672: data
> >> [08:27:47]          /dev/shm/pulse-shm-2330444361: data
> >> [08:27:47]          /dev/shm/pulse-shm-2759599877: data
> >> [08:27:48]          /dev/shm/pulse-shm-2688255106: data
> >> [08:27:48]          /dev/shm/pulse-shm-2964324177: data
> >> [08:27:48]          /dev/shm/pulse-shm-878858236: data
> >> [08:27:48]   Checking for hidden files and directories       [ Warning ]
> >> [08:27:48] Warning: Hidden directory found: /etc/.java
> >> [08:27:48] Warning: Hidden directory found: /dev/.udev
> >> [08:27:48] Warning: Hidden directory found: /dev/.initramfs
> >>
> >
> > Similar comment.  It is difficult to know what to check for.  Again I am
> not
> > worried, just curious.
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
Dazed_75 a.k.a. Larry

The spirit of resistance to government is so valuable on certain occasions,
that I wish it always to be kept alive.
  - Thomas Jefferson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110730/5d429a68/attachment.html>

More information about the PLUG-discuss mailing list