One of the blogs I read just had an article about finding rootkits in Linux. While not worried about it, I thought it would be fun to check it out. They talked about 3 commands; lsattr, chkrootkit, and rkhunter.
lsattr didn't find anything of interest the few directories I tried it on except that this line showed up for some files (I think they were all links):
lsattr: Operation not supported While reading flags on /bin/bzegrep
chkrootkit found
ROOTDIR is `/'
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/xulrunner-1.9.2.18/.autoreg
/usr/lib/firefox-3.6.18/.autoreg
/usr/lib/pymodules/python2.6/.path
/usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit
/usr/lib/jvm/.java-6-openjdk.jinfo
/usr/lib/thunderbird-3.1.11/.autoreg
those are mainly empty files and the ones that were not seemed reasonable to an uneducated eye. Problem is that they don't say what it is that is considered suspicious
rkhunter -c found
[08:27:47] Checking /dev for suspicious file types [ Warning ]
[08:27:47] Warning: Suspicious file types found in /dev:
[08:27:47] /dev/shm/pulse-shm-3633543672: data
[08:27:47] /dev/shm/pulse-shm-2330444361: data
[08:27:47] /dev/shm/pulse-shm-2759599877: data
[08:27:48] /dev/shm/pulse-shm-2688255106: data
[08:27:48] /dev/shm/pulse-shm-2964324177: data
[08:27:48] /dev/shm/pulse-shm-878858236: data
[08:27:48] Checking for hidden files and directories [ Warning ]
[08:27:48] Warning: Hidden directory found: /etc/.java
[08:27:48] Warning: Hidden directory found: /dev/.udev
[08:27:48] Warning: Hidden directory found: /dev/.initramfs
Similar comment. It is difficult to know what to check for. Again I am not worried, just curious.
--
Dazed_75 a.k.a. Larry
The spirit of resistance to government is so valuable on certain occasions, that I wish it always to be kept alive.
- Thomas Jefferson