Chkrootkit warning
David G. Miller
dave at davenjudy.org
Fri Jan 26 22:38:27 UTC 2007
Anne Wilson <cannewilson at tiscali.co.uk> wrote:
> Checking `crontab'... Warning: crontab for nobody found, possible
> Lupper.Worm... not infected
> ********
>
> a) Lupper.Worm apparently attacks linux web servers. I don't run a web
> server, on that or any other box on the lan.
>
> b) Symptoms
>
> Presence of one or more the following files:
>
> * /tmp/lupii
> * /tmp/listen
> * /tmp/update.listen
> * /tmp/listen.log
>
> None are present
>
> One or more of the following ports are listening/sending:
>
> * UDP 7111
> * UDP 7222
> * UDP 27015
> * UDP 25555
>
> All these are reported as Stealthed by GRC.
>
> crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not
> infected
>
> The message is very puzzling. It specifically says 'not infected', and my
> checks seem to agree with this.
>
> I don't know why it talks about crontab for nobody.
>
> cat /etc/crontab
> SHELL=/bin/bash
> PATH=/sbin:/bin:/usr/sbin:/usr/bin
> MAILTO=anne at lydgate.net
> HOME=/
> # run-parts
> 1 * * * * root run-parts /etc/cron.hourly
> #
> 2 4 * * * root run-parts /etc/cron.daily
> #
> 22 4 * * 7 root run-parts /etc/cron.weekly
> #
> 42 4 1 * * root run-parts /etc/cron.monthly
>
> I've checked kcron, and while nobody is present, as indeed he is on this box
> too, no tasks are set for him.
>
> I can't see what else to check.
>
> Anne
You should also look in /var/spool/cron. At most, you see something like:
[root at bend ~]# ls -l /var/spool/cron/
total 8
-rw------- 1 root root 39 Nov 4 09:09 root
See "man -S5 crontab" for an explanation of the file's contents.
Cheers
Dave
--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce
More information about the fedora-list
mailing list