Chrootkit found "suspicious" file
Mike McCarty
mike.mccarty at sbcglobal.net
Mon Feb 27 20:12:47 UTC 2006
Rich Lafferty wrote:
> On Wed, Feb 22, 2006 at 04:23:10PM -0600, Mike McCarty <mike.mccarty at sbcglobal.net> wrote:
>
>>I ran chrootkit today, and it spit this out [in the middle
>>of a bunch of "nothing found" reports]
>>
>>Searching for suspicious files and dirs, it may take a while...
>>/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
>>/usr/lib/qt-3.3/etc/settings/.qtrc.lock
[snip]
>>
>>Total of 200 files it didn't like. I don't see anything there that
>>looks particularly suspicios. What's going on? Anyone know?
>
>
> My guess is that they are suspicious because they are dotfiles in
> directories that aren't home directories. If chkrootkit didn't claim
> that it detected some particular rootkit, it's just telling you that you
> might want to look at those to decide whether or not they belong there.
That's certainly a posibility. But I've run it before without
it complaining, and I haven't upgraded chrootkit. Also, the
dates on those files are mostly 2004.
>
>>It also found this...
>>
>>Checking `chkutmp'... The tty of the following user process(es) were
>>not found
[snip]
> Because no-one is logged in on them. That's the program that displays
> the login prompt on your console; utmp entries belong to logged-in
> users.
Ok, thanks. That explains that little bit.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list