Chrootkit found "suspicious" file
jludwig
wralphie at comcast.net
Mon Feb 27 21:59:50 UTC 2006
On Monday 27 February 2006 07:19, Dotan Cohen wrote:
> On 2/23/06, Mike McCarty <mike.mccarty at sbcglobal.net> wrote:
> > I ran chrootkit today, and it spit this out [in the middle
> > of a bunch of "nothing found" reports]
> >
> > Searching for suspicious files and dirs, it may take a while...
> > /usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
> > /usr/lib/qt-3.3/etc/settings/.qtrc.lock
> > /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/Gaim/.packl
> >ist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist
> > /lib/modules/2.6.10-1.771_FC2/build/.config
> > /lib/modules/2.6.10-1.771_FC2/build/scripts/.pnmtologo.cmd
> > /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.genksyms.cmd
> > /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.parse.o.cmd
> > /lib/modules/2.6.10-1.771_FC2/build/scripts/genksyms/.lex.o.cmd
> > [etc]
> >
> > Total of 200 files it didn't like. I don't see anything there that
> > looks particularly suspicios. What's going on? Anyone know?
> >
> > It also found this...
> >
> > Checking `chkutmp'... The tty of the following user process(es) were
> > not found
> > in /var/run/utmp !
> > ! RUID PID TTY CMD
> > ! root 3928 tty1 /sbin/mingetty tty1
> > ! root 3939 tty2 /sbin/mingetty tty2
> > ! root 3945 tty3 /sbin/mingetty tty3
> > ! root 3951 tty4 /sbin/mingetty tty4
> > ! root 3957 tty5 /sbin/mingetty tty5
> > ! root 4082 tty6 /sbin/mingetty tty6
> > chkutmp: nothing deleted
> >
> > Why can it not find the tty?
> >
> > Mike
>
> Did you ever figure out what caused chkrootkit to freak? I was hoping
> someone would help you (as I too need to learn), but I did not see any
> public replies to the thread.
>
> Dotan Cohen
> http://song-lirics.com
I haven't run FC2 in a while but suspect that these are scripts that are
changing ownership or group to wheel or root.
--
Some people have convictions.
Some people have opinions
I think I'll have a cheeseburger!
More information about the fedora-list
mailing list