Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: understanding chkrootkit and rkhunter logs

from [Oren Held] Network Security [Permanent Link]
Subject: Re: understanding chkrootkit and rkhunter logs
Date: Wed, 09 May 2007 10:19:31 +0300 (IDT) 
About /lib/init/rw/.ramfs: I also suffer from daily false-positive mails.
Seems like it's a bad behavior which should be fixed...

http://stereo.lu/chkrootkit-finds-libinitrwramfs-on-debian-etch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=403863

 - Oren


Hi,
I'm sorry for asking a totally newbie question but I haven't found an
answer to this. I'm really curious and concerned about what is reported by
the chkrootkit and rkhunter on my Debian Etch home server.

Here's what I get when I run them:

CHKROOTKIT:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[2181])

In the system mail I also get this:

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

eth0: PACKET SNIFFER(/sbin/dhclient[2136])

RKHUNTER reports this:

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning!
]
---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect:  /dev/.static (directory)  /dev/.udev (directory)
/dev/.initramfs (directory)

Is this something to be worried about? How can I investigate further into
these two issues?

Thanks,
Ale.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: understanding chkrootkit and rkhunter logs, SZTANYIK Bence Tamas
Next by Date:  Re: understanding chkrootkit and rkhunter logs, Juergen Repolusk
Previous by Thread:  Re: understanding chkrootkit and rkhunter logs, SZTANYIK Bence Tamas
Next by Thread:  Re: understanding chkrootkit and rkhunter logs, Juergen Repolusk
Indexes:  [Date] [Thread] [Top] [All Lists]