rootkits

Joseph Sinclair plug-discussion at stcaz.net
Fri Jul 29 22:50:40 MST 2011


What you see below is false-positives.
The files in /usr/lib are normal files used for things like initialization control (pymodules) and JDK selection (jvm).
The files in /dev/shm are pulsaudio temporary device files, and like everything in /dev/shm will disappear on a reboot (/dev/shm is a filesystem interface to shared memory).
The hidden directories are likewise normal (java, udev, initramfs) elements of the system.

That's why these things are warnings; they *might* be a problem, but the software has no way to be sure (although it really should have exceptions built-in for things like pulseaudio, udev, and initramfs stuff).

Then again, it's fundamentally impossible to know if a system is clean from within that system (since a rootkit could just intercept any call that would expose it's presence and return a false result).
Usually these tools should be run against a chrooted/mounted filesystem from a known-good rescue CD.

On 07/29/2011 08:48 AM, Dazed_75 wrote:
> One of the blogs I read just had an article about finding rootkits in
> Linux.  While not worried about it, I thought it would be fun to check it
> out.  They talked about 3 commands; lsattr, chkrootkit, and rkhunter.
> 
> lsattr didn't find anything of interest the few directories I tried it on
> except that this line showed up for some files (I think they were all
> links):
> 
>>   lsattr: Operation not supported While reading flags on /bin/bzegrep
>>
> 
> chkrootkit found
> 
>> ROOTDIR is `/'
>> Searching for suspicious files and dirs, it may take a while... The
>> following suspicious files and directories were found:
>> /usr/lib/xulrunner-1.9.2.18/.autoreg
>> /usr/lib/firefox-3.6.18/.autoreg
>> /usr/lib/pymodules/python2.6/.path
>> /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit
>> /usr/lib/jvm/.java-6-openjdk.jinfo
>> /usr/lib/thunderbird-3.1.11/.autoreg
>>
> 
> those are mainly empty files and the ones that were not seemed reasonable to
> an uneducated eye.  Problem is that they don't say what it is that is
> considered suspicious
> 
> rkhunter -c found
> 
>> [08:27:47]   Checking /dev for suspicious file types         [ Warning ]
>> [08:27:47] Warning: Suspicious file types found in /dev:
>> [08:27:47]          /dev/shm/pulse-shm-3633543672: data
>> [08:27:47]          /dev/shm/pulse-shm-2330444361: data
>> [08:27:47]          /dev/shm/pulse-shm-2759599877: data
>> [08:27:48]          /dev/shm/pulse-shm-2688255106: data
>> [08:27:48]          /dev/shm/pulse-shm-2964324177: data
>> [08:27:48]          /dev/shm/pulse-shm-878858236: data
>> [08:27:48]   Checking for hidden files and directories       [ Warning ]
>> [08:27:48] Warning: Hidden directory found: /etc/.java
>> [08:27:48] Warning: Hidden directory found: /dev/.udev
>> [08:27:48] Warning: Hidden directory found: /dev/.initramfs
>>
> 
> Similar comment.  It is difficult to know what to check for.  Again I am not
> worried, just curious.
> 
> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110729/eb7393c1/attachment.pgp>


More information about the PLUG-discuss mailing list