Your message dated Tue, 25 Nov 2008 23:02:04 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#479187: fixed in chkrootkit 0.48-7 has caused the Debian Bug report #479187, regarding chkrootkit report all files as suspicious, without whitespace to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 479187: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479187 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message --------BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: chkrootkit Version: 0.48-2 Severity: important Hello, after upgrading chkrootkit to 0.48-2 it generates now the following output: The following suspicious files and directories were found: /usr/lib/jvm/.java-gcj.jinfo /usr/lib/icedove/.autoreg /usr/lib/iceweasel/.autoreg /usr/lib/xulrunner/.autoreg /usr/lib/electric/.cadrc /lib/init/rw/.ramfs //bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/bin/ln/bin/loadkeys/bin/login/bin/ls/bin/lsmod/bin/lsmod.modutils/bin/lspci/bin/mkdir/bin/mknod/bin/mktemp/bin/modeline2fb/bin/more/bin/mount/bin/mountpoint/bin/mt/bin/mt-gnu/bin/mv/bin/nc/bin/netcat/bin/netstat/bin/pdksh/bin/pidof/bin/ping/bin/ping6/bin/ps/bin/pwd/bin/rbash/bin/readlink/bin/rm/bin/rmdir/bin/run-parts/bin/rzsh/bin/sed/bin/setpci/bin/setserial/bin/sh/bin/sleep/bin/stty/bin/su/bin/sync/bin/tar/bin/tcsh/bin/tempfile/bin/touch/bin/true/bin/umount/bin/uname/bin/uncompress/bi n/vdir/bin/which/bin/zcat/bin/zcmp/bin/zdiff/bin/zegrep/bin/zfgrep/bin/zforce/bin/zgrep/bin/zless/bin/zmore/bin/znew/bin/zsh/bin/zsh4/boot/boot/config-2.6.18-5-amd64/boot/grub/boot/grub/default/boot/grub/device.map/boot/grub/device.map~/boot/grub/e2fs_stage1_5/boot/grub/fat_stage1_5/boot/grub/jfs_stage1_5/boot/grub/menu.lst/boot/grub/menu.lst~/boot/grub/minix_stage1_5/boot/grub/reiserfs_stage1_5/boot/grub/splashimages/boot/grub/splashimages/bike_gua.xpm.gz/boot/grub/splashimages/biosplash.xpm.gz/boot/grub/splashimages/CRW_7206_14.xpm.gz/boot/grub/splashimages/debsplash.xpm.gz/boot/grub/splashimages/fiesta.xpm.gz/boot/grub/splashimages/gentleblue.xpm.gz/boot/grub/splashimages/guitar.xpm.gz/boot/grub/stage1/boot/grub/stage2/boot/grub/xfs_stage1_5/boot/initrd.img/boot/initrd.img-2.6.17-2-amd64.bak/boot/initrd.img-2.6.18-5-amd64/boot/initrd.img-2.6.18-5-amd64.bak/boot/memtest86+.bin/boot/System.map-2.6.18-5-amd64/boot/vmlinuz/boot/vmlinuz-2.6.18-5-amd64 [SNIP] All files are now listed as suspicous. And to make it even more worse they are printed without any whitespace. This results in an e-mail from the cronjob which has one line and 27MB size. (Which makes the mail viewer or editor very busy.) when called bash -x /usr/sbin/chkrootkit > /tmp/chkroot.out 2>&1 it delivers the following (excerp): + printn 'Searching for ENYELKM rootkit default files... ' ++ /bin/echo 'a\c' ++ /bin/egrep c + /bin/echo -n 'Searching for ENYELKM rootkit default files... ' Searching for ENYELKM rootkit default files... + '[' -d /etc/.enyelkmOCULTAR.ko ']' + '[' '' '!=' t ']' + echo 'nothing found' nothing found + '[' '' '!=' t ']' + printn 'Searching for common ssh-scanners default files... ' ++ /bin/echo 'a\c' ++ /bin/egrep c + /bin/echo -n 'Searching for common ssh-scanners default files... ' Searching for common ssh-scanners default files... ++ /usr/bin/find /tmp /var/tmp -name vuln.txt -o -name ssh-scan -o -name pscan2 + files= + '[' '' = '' ']' + '[' '' '!=' t ']' + echo 'nothing found' nothing found + '[' '' '!=' t ']' + printn 'Searching for suspect PHP files... ' ++ /bin/echo 'a\c' ++ /bin/egrep c + /bin/echo -n 'Searching for suspect PHP files... ' Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name '*.php' + files= ++ /usr/bin/find /tmp /var/tmp -type f -exec head -1 '{}' ';' ++ grep php + fileshead='//bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/ bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/ bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/ bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/ bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/ fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/ hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/ [SNIP] Greetings Juergen - -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core) Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages chkrootkit depends on: ii binutils 2.18.1~cvs20080103-4+b1 The GNU assembler, linker and bina ii debconf [debconf 1.5.21 Debian configuration management sy ii libc6 2.7-10 GNU C Library: Shared libraries ii net-tools 1.60-19 The NET-3 networking toolkit ii procps 1:3.2.7-8 /proc file system utilities chkrootkit recommends no packages. - -- debconf information: * chkrootkit/run_daily: true * chkrootkit/run_daily_opts: -q -n * chkrootkit/diff_mode: true -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIHHl95JgLPmj5988RAkfYAJ9lAPzsVk5anZEH6LzeT1fC2gTC3QCgoZle DvGP7cMIX2JP6BHA1cPizFU= =88vP -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: chkrootkit Source-Version: 0.48-7 We believe that the bug you reported is fixed in the latest version of chkrootkit, which is due to be installed in the Debian FTP archive: chkrootkit_0.48-7.diff.gz to pool/main/c/chkrootkit/chkrootkit_0.48-7.diff.gz chkrootkit_0.48-7.dsc to pool/main/c/chkrootkit/chkrootkit_0.48-7.dsc chkrootkit_0.48-7_amd64.deb to pool/main/c/chkrootkit/chkrootkit_0.48-7_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Giuseppe Iuculano <[EMAIL PROTECTED]> (supplier of updated chkrootkit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 25 Nov 2008 12:09:17 +0100 Source: chkrootkit Binary: chkrootkit Architecture: source amd64 Version: 0.48-7 Distribution: unstable Urgency: low Maintainer: Giuseppe Iuculano <[EMAIL PROTECTED]> Changed-By: Giuseppe Iuculano <[EMAIL PROTECTED]> Description: chkrootkit - rootkit detector Closes: 477945 479187 497253 506721 Changes: chkrootkit (0.48-7) unstable; urgency=low . * New maintainer, thanks to Francois Marier for the prior work on chkrootkit. (Closes: #506721) * debian/patches/fixwarnings.dpatch: Some little fixes to silence compiler. * added debian/README.source to document dpatch usage, as required by Debian Policy since 3.8.0 * debian/control: + Set me as maintainer + set DM-Upload-Allowed: yes control field + Added ${misc:Depends} in Depends * debian/patches/nophpcheck.dpatch: Delete the "suspect PHP files" check. Not only does it trigger SIGPIPE for file names which contain special unescaped characters, the second half is doubtful (it doesn't print any filenames and gets confused by binary file contents). (Closes: #479187) * debian/patches/logpath.dpatch: Read logs from /var/log instead of /var/adm * debian/patches/procpsv3.dpatch: Let chkproc default to procps version 3. (Closes: #477945) (Closes: #497253) Checksums-Sha1: f73431249dddd8fa892922a3f33aa0782c2054f8 1248 chkrootkit_0.48-7.dsc ece40c4ce04b7d315a9bae315817ab03fb32a691 30976 chkrootkit_0.48-7.diff.gz 553282cb1b1933a3325dc3e5a2e779af9ac93d46 308130 chkrootkit_0.48-7_amd64.deb Checksums-Sha256: aad7570e8a850cf6d3ee4edc95fff8bca36c138552cec407f1aaf624139e109c 1248 chkrootkit_0.48-7.dsc 4470b21138c9eadb0f5019646a4e0cf2085f71657f4ace147a7e5bed665f0ccc 30976 chkrootkit_0.48-7.diff.gz 90005cd9dc73dcb90ccd475ee21191ba646032b033d8f407f0b09c48f228293d 308130 chkrootkit_0.48-7_amd64.deb Files: 2334adc862704ce6fff9492bdd0165c3 1248 misc optional chkrootkit_0.48-7.dsc 3cd2bf79d43410bd6e3a45809fb8524b 30976 misc optional chkrootkit_0.48-7.diff.gz 7936952ab1a05face230e2aea6d307dc 308130 misc optional chkrootkit_0.48-7_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkksgpYACgkQScUZKBnQNIbWgACgtC89PZY67lwB2AxFFmY1UJqA Bl4An3RiEMMmEnldNf20VOOf3uBM7dZ2 =S29T -----END PGP SIGNATURE-----
--- End Message ---
