[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] chkrootkit output show possible ambient
- Subject: Re: [cobalt-users] chkrootkit output show possible ambient
- From: "alan@" <alan@xxxxxxxxx>
- Date: Wed Nov 20 07:50:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Richard Siddall"
> "alan@" wrote:
> >
> > Hi all,
> >
> > I have just installed the chkrootkit-0.37 tarball.
> >
>
> Is this the first time you've had chkrootkit on this machine, or
> is this an upgrade?
>
> > When I run it, netstat and traceroute come back as infected.
> > Would they be false positives ?
> >
>
> There's always a possibility of a false positive with chkrootkit.
> It's like "lint" with C programming, it looks for things that might
> be problems.
>
> However, chkrootkit has gained a reputation for generating spurious
> warnings due to the way it checks for hidden processes.
>
> If chkrootkit generates ANY warnings, it's time to go investigating.
>
> 1/ Do a search.
>
> 2/ Look at the chkrootkit source code. chkrootkit itself is a shell
> script, so you can figure out what it's looking for.
>
> Generating warnings for infected programs is a bad sign; you almost
> never replace the programs with ones that might trigger a false
> positive.
>
> In the case of netstat, chkrootkit seems to be looking for the
> following strings in the binary:
>
/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221
|/dev/dszy|/dev/ddth3|/dev/caca|/prof|/dev/tux
>
> > Also when its checking for Ambients rootkit, it says its possibly there,
> > then it says its looking for suspicious files, and then lists a mixture
of
> > files. Does this mean yes or no, if the files appear in the list ?
> > Is suspicious, deadly ?
>
> Having suspicious files isn't necessarily bad.
>
> > Here is the relevant section of the output from chkrootkit :
> >
> > Searching for Ambient's rootkit (ark) default files and dirs... Possible
> > Ambient's rootkit (ark) installed
>
> You need to look to see what could have triggered this.
>
> > Searching for suspicious files and dirs, it may take a while...
> > /usr/lib/.ark?
>
> I don't like the look of that...
>
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist
> >
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlist
> > /usr/lib/perl5/5.00503/i386-linux/.packlist
>
> Generally when you install a Perl modules, it leaves behind a .packlist
> file. Can you justify having these modules installed? (They look
> innocuous to me.)
>
> >
> > TIA
> >
>
> I hope this helps. I think you're in for a bad day.
>
> > Alan
> >
>
> Richard.
Thanks Richard,
This is a fresh install on a clients server. Last week "somebody" changed
the admin password. I got the co-lo to change it back but we still don't
know why/how it was changed.
So I have begun investigations ! ( I only gained this client when the
password locked them out !!)
I have been researching a little through the archives, and am considering
whether to go through the suggestions in this posting :
http://list.cobalt.com/pipermail/cobalt-users/2002-November/081008.html
I have deleted /usr/lib/.ark? but I am not sure about the posters
instruction to delete /dev/ptyxx
( is ptyxx pty with 2 wildcards or an actual file ptyxx ? )
I guess, what I am trying to get away with, is not to have to wipe the disk
and start again.
Any body want to lay odds ? :-(
Thanks
Alan