What you see below is false-positives.
The files in /usr/lib are normal files used for things like initialization control (pymodules) and JDK selection (jvm).
The files in /dev/shm are pulsaudio temporary device files, and like everything in /dev/shm will disappear on a reboot (/dev/shm is a filesystem interface to shared memory).
The hidden directories are likewise normal (java, udev, initramfs) elements of the system.
That's why these things are warnings; they *might* be a problem, but the software has no way to be sure (although it really should have exceptions built-in for things like pulseaudio, udev, and initramfs stuff).
Then again, it's fundamentally impossible to know if a system is clean from within that system (since a rootkit could just intercept any call that would expose it's presence and return a false result).
Usually these tools should be run against a chrooted/mounted filesystem from a known-good rescue CD.
On 07/29/2011 08:48 AM, Dazed_75 wrote:
> One of the blogs I read just had an article about finding rootkits in
> Linux. While not worried about it, I thought it would be fun to check it
> out. They talked about 3 commands; lsattr, chkrootkit, and rkhunter.
>
> lsattr didn't find anything of interest the few directories I tried it on
> except that this line showed up for some files (I think they were all
> links):
>
>> lsattr: Operation not supported While reading flags on /bin/bzegrep
>>
>
> chkrootkit found
>
>> ROOTDIR is `/'
>> Searching for suspicious files and dirs, it may take a while... The
>> following suspicious files and directories were found:
>> /usr/lib/xulrunner-1.9.2.18/.autoreg
>> /usr/lib/firefox-3.6.18/.autoreg
>> /usr/lib/pymodules/python2.6/.path
>> /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit
>> /usr/lib/jvm/.java-6-openjdk.jinfo
>> /usr/lib/thunderbird-3.1.11/.autoreg
>>
>
> those are mainly empty files and the ones that were not seemed reasonable to
> an uneducated eye. Problem is that they don't say what it is that is
> considered suspicious
>
> rkhunter -c found
>
>> [08:27:47] Checking /dev for suspicious file types [ Warning ]
>> [08:27:47] Warning: Suspicious file types found in /dev:
>> [08:27:47] /dev/shm/pulse-shm-3633543672: data
>> [08:27:47] /dev/shm/pulse-shm-2330444361: data
>> [08:27:47] /dev/shm/pulse-shm-2759599877: data
>> [08:27:48] /dev/shm/pulse-shm-2688255106: data
>> [08:27:48] /dev/shm/pulse-shm-2964324177: data
>> [08:27:48] /dev/shm/pulse-shm-878858236: data
>> [08:27:48] Checking for hidden files and directories [ Warning ]
>> [08:27:48] Warning: Hidden directory found: /etc/.java
>> [08:27:48] Warning: Hidden directory found: /dev/.udev
>> [08:27:48] Warning: Hidden directory found: /dev/.initramfs
>>
>
> Similar comment. It is difficult to know what to check for. Again I am not
> worried, just curious.
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)
