What you see below is false-positives. The files in /usr/lib are normal files used for things like initialization control (pymodules) and JDK selection (jvm). The files in /dev/shm are pulsaudio temporary device files, and like everything in /dev/shm will disappear on a reboot (/dev/shm is a filesystem interface to shared memory). The hidden directories are likewise normal (java, udev, initramfs) elements of the system. That's why these things are warnings; they *might* be a problem, but the software has no way to be sure (although it really should have exceptions built-in for things like pulseaudio, udev, and initramfs stuff). Then again, it's fundamentally impossible to know if a system is clean from within that system (since a rootkit could just intercept any call that would expose it's presence and return a false result). Usually these tools should be run against a chrooted/mounted filesystem from a known-good rescue CD. On 07/29/2011 08:48 AM, Dazed_75 wrote: > One of the blogs I read just had an article about finding rootkits in > Linux. While not worried about it, I thought it would be fun to check it > out. They talked about 3 commands; lsattr, chkrootkit, and rkhunter. > > lsattr didn't find anything of interest the few directories I tried it on > except that this line showed up for some files (I think they were all > links): > >> lsattr: Operation not supported While reading flags on /bin/bzegrep >> > > chkrootkit found > >> ROOTDIR is `/' >> Searching for suspicious files and dirs, it may take a while... The >> following suspicious files and directories were found: >> /usr/lib/xulrunner-1.9.2.18/.autoreg >> /usr/lib/firefox-3.6.18/.autoreg >> /usr/lib/pymodules/python2.6/.path >> /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit >> /usr/lib/jvm/.java-6-openjdk.jinfo >> /usr/lib/thunderbird-3.1.11/.autoreg >> > > those are mainly empty files and the ones that were not seemed reasonable to > an uneducated eye. Problem is that they don't say what it is that is > considered suspicious > > rkhunter -c found > >> [08:27:47] Checking /dev for suspicious file types [ Warning ] >> [08:27:47] Warning: Suspicious file types found in /dev: >> [08:27:47] /dev/shm/pulse-shm-3633543672: data >> [08:27:47] /dev/shm/pulse-shm-2330444361: data >> [08:27:47] /dev/shm/pulse-shm-2759599877: data >> [08:27:48] /dev/shm/pulse-shm-2688255106: data >> [08:27:48] /dev/shm/pulse-shm-2964324177: data >> [08:27:48] /dev/shm/pulse-shm-878858236: data >> [08:27:48] Checking for hidden files and directories [ Warning ] >> [08:27:48] Warning: Hidden directory found: /etc/.java >> [08:27:48] Warning: Hidden directory found: /dev/.udev >> [08:27:48] Warning: Hidden directory found: /dev/.initramfs >> > > Similar comment. It is difficult to know what to check for. Again I am not > worried, just curious. > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss