Chrootkit found "suspicious" file
Mike McCarty
mike.mccarty at sbcglobal.net
Mon Feb 27 20:18:00 UTC 2006
Rich Lafferty wrote:
> On Wed, Feb 22, 2006 at 04:23:10PM -0600, Mike McCarty <mike.mccarty at sbcglobal.net> wrote:
>
>>I ran chrootkit today, and it spit this out [in the middle
>>of a bunch of "nothing found" reports]
>>
>>Searching for suspicious files and dirs, it may take a while...
>>/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
>>/usr/lib/qt-3.3/etc/settings/.qtrc.lock
[snip]
>>Total of 200 files it didn't like. I don't see anything there that
>>looks particularly suspicios. What's going on? Anyone know?
>
>
> My guess is that they are suspicious because they are dotfiles in
> directories that aren't home directories. If chkrootkit didn't claim
> that it detected some particular rootkit, it's just telling you that you
> might want to look at those to decide whether or not they belong there.
I ran it again just now, and it didn't complain about them this
time, except for two of them. I wonder if access date is being
checked?
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the fedora-list
mailing list