[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] chkrootkit output show possible ambient

Subject: Re: [cobalt-users] chkrootkit output show possible ambient
From: Richard Siddall <cobalt@xxxxxxxxxxx>
Date: Wed Nov 20 07:31:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"alan@" wrote:
> 
> Hi all,
> 
> I have just installed the chkrootkit-0.37 tarball.
> 

Is this the first time you've had chkrootkit on this machine, or
is this an upgrade?

> When I run it, netstat and traceroute come back as infected.
> Would they be false positives ?
> 

There's always a possibility of a false positive with chkrootkit.
It's like "lint" with C programming, it looks for things that might
be problems.

However, chkrootkit has gained a reputation for generating spurious
warnings due to the way it checks for hidden processes.

If chkrootkit generates ANY warnings, it's time to go investigating.

1/ Do a search.

2/ Look at the chkrootkit source code.  chkrootkit itself is a shell
script, so you can figure out what it's looking for.

Generating warnings for infected programs is a bad sign; you almost
never replace the programs with ones that might trigger a false
positive.

In the case of netstat, chkrootkit seems to be looking for the
following strings in the binary:
/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|/prof|/dev/tux

> Also when its checking for Ambients rootkit, it says its possibly there,
> then it says its looking for suspicious files, and then lists a mixture of
> files. Does this mean yes or no, if the files appear in the list ?
> Is suspicious, deadly ?

Having suspicious files isn't necessarily bad.

> Here is the relevant section of the output from chkrootkit :
> 
> Searching for Ambient's rootkit (ark) default files and dirs... Possible
> Ambient's rootkit (ark) installed

You need to look to see what could have triggered this.

> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/.ark?

I don't like the look of that...

> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlist
> /usr/lib/perl5/5.00503/i386-linux/.packlist

Generally when you install a Perl modules, it leaves behind a .packlist
file.  Can you justify having these modules installed?  (They look
innocuous to me.)

> 
> TIA
> 

I hope this helps.  I think you're in for a bad day.

> Alan
> 

	Richard.

Follow-Ups:
- Re: [cobalt-users] chkrootkit output show possible ambient
  - From: alan@

References:
- [cobalt-users] chkrootkit output show possible ambient
  - From: alan@

Prev by Date: [cobalt-users] raq3 - php default upload path
Next by Date: Re: [cobalt-users] Webalizer Problems
Previous by thread: [cobalt-users] chkrootkit output show possible ambient
Next by thread: Re: [cobalt-users] chkrootkit output show possible ambient

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index