Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: understanding chkrootkit and rkhunter logs

from [Clinton E. Troutman] Network Security [Permanent Link]
Subject: Re: understanding chkrootkit and rkhunter logs
Date: Wed, 9 May 2007 11:17:57 -0500 
On Tuesday 08 May 2007, acattelan@gmail.com wrote:

Hi,
I'm sorry for asking a totally newbie question but I haven't found an
answer to this. I'm really curious and concerned about what is reported
by the chkrootkit and rkhunter on my Debian Etch home server.

Here's what I get when I run them:

CHKROOTKIT:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[2181])

In the system mail I also get this:

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

eth0: PACKET SNIFFER(/sbin/dhclient[2136])

RKHUNTER reports this:

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning!
] ---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect:  /dev/.static (directory)  /dev/.udev (directory) 
/dev/.initramfs (directory)

Is this something to be worried about? How can I investigate further into
these two issues?

Thanks,
Ale.


On initial installation of both chkrootkit and rkhunter, I received many of 
the same type messages.

My understanding is that since these softwares are intended for general 
Linux installation, the software cannot be configured specifically for any 
installation "out of the box"; some tuning is necessary through adjustment 
of configuration files.

Each warning bears investigation (you will also learn about your system in 
this investigation). Once you have determined a particular warning is not a 
threat/problem, adjust your configuration files accordingly.

I will also say the database for rkhunter seems to have some issues. In my 
case, there is a particular daily warning:
    /usr/bin/wget Â[ BAD ]
that I cannot get rid of no matter what I do...
Point is, you may not rid yourself of all warnings; or, if your lucky, you 
might...

HTH,
-- 
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
  Home Office, and Small Business in Fort Worth, Texas

Attachment: pgpdL86KT5pHW.pgp
Description: PGP signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: understanding chkrootkit and rkhunter logs, Juergen Repolusk
Next by Date:  Security Videos, thejus_mb
Previous by Thread:  Re: understanding chkrootkit and rkhunter logs, Juergen Repolusk
Next by Thread:  Center for Internet Security - Call for Participation, Dave Shackleford
Indexes:  [Date] [Thread] [Top] [All Lists]