[Cialug] rootkit
Josh More
cialug@cialug.org
Thu, 10 Mar 2005 10:06:05 -0600
The checks not getting done are generally indicative of running
checkrootkit as: /usr/local/checkrootkit/chkrootkit
instead of: cd /usr/local/checkrootkit/; ./chkrootkit
The system does not look outside of ./ to find it's helper apps.
Run chkrootkit properly, then use rkhunter. Then you can have fun
determining what changed. Just bear in mind, that since any
file might have been altered, you can't trust anything, even
the package verification database.
--
-Josh More, RHCE, CISSP
morej@alliancetechnologies.net
515-245-7701
On Thu, 2005-03-10 at 10:00 -0600, Daniel Wittenberg wrote:
> Looks like you also aren't getting some the checks done too -
>
> Definitely looks like a problem to me...
>
> Dan
>
> On Thu, 2005-03-10 at 09:47 -0600, admin wrote:
> > consistent 5 times over.
> >
> > Checking `ifconfig'... INFECTED
> > Checking `ldsopreload'... can't exec ./strings-static, not tested
> > Checking `pstree'... INFECTED
> > Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\)
> > rootkit installed
> > Searching for Showtee... Warning: Possible Showtee Rootkit installed
> > Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
> > Checking `sniffer'... not tested: can't exec ./ifpromisc
> > Checking `wted'... not tested: can't exec ./chkwtmp
> > Checking `z2'... not tested: can't exec ./chklastlog
> > Checking `chkutmp'... not tested: can't exec ./chkutmp
> > ---------------------
> > admin@c0wzftp.com
> > Administrator - Email Service
>
>
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug