-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: chkrootkit
Version: 0.48-2
Severity: important
Hello,
after upgrading chkrootkit to 0.48-2 it generates now the following output:
The following suspicious files and directories were found:
/usr/lib/jvm/.java-gcj.jinfo /usr/lib/icedove/.autoreg
/usr/lib/iceweasel/.autoreg /usr/lib/xulrunner/.autoreg
/usr/lib/electric/.cadrc /lib/init/rw/.ramfs
//bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/bin/ln/bin/loadkeys/bin/login/bin/ls/bin/lsmod/bin/lsmod.modutils/bin/lspci/bin/mkdir/bin/mknod/bin/mktemp/bin/modeline2fb/bin/more/bin/mount/bin/mountpoint/bin/mt/bin/mt-gnu/bin/mv/bin/nc/bin/netcat/bin/netstat/bin/pdksh/bin/pidof/bin/ping/bin/ping6/bin/ps/bin/pwd/bin/rbash/bin/readlink/bin/rm/bin/rmdir/bin/run-parts/bin/rzsh/bin/sed/bin/setpci/bin/setserial/bin/sh/bin/sleep/bin/stty/bin/su/bin/sync/bin/tar/bin/tcsh/bin/tempfile/bin/touch/bin/true/bin/umount/bin/uname/bin/uncompress/bi
n/vdir/bin/which/bin/zcat/bin/zcmp/bin/zdiff/bin/zegrep/bin/zfgrep/bin/zforce/bin/zgrep/bin/zless/bin/zmore/bin/znew/bin/zsh/bin/zsh4/boot/boot/config-2.6.18-5-amd64/boot/grub/boot/grub/default/boot/grub/device.map/boot/grub/device.map~/boot/grub/e2fs_stage1_5/boot/grub/fat_stage1_5/boot/grub/jfs_stage1_5/boot/grub/menu.lst/boot/grub/menu.lst~/boot/grub/minix_stage1_5/boot/grub/reiserfs_stage1_5/boot/grub/splashimages/boot/grub/splashimages/bike_gua.xpm.gz/boot/grub/splashimages/biosplash.xpm.gz/boot/grub/splashimages/CRW_7206_14.xpm.gz/boot/grub/splashimages/debsplash.xpm.gz/boot/grub/splashimages/fiesta.xpm.gz/boot/grub/splashimages/gentleblue.xpm.gz/boot/grub/splashimages/guitar.xpm.gz/boot/grub/stage1/boot/grub/stage2/boot/grub/xfs_stage1_5/boot/initrd.img/boot/initrd.img-2.6.17-2-amd64.bak/boot/initrd.img-2.6.18-5-amd64/boot/initrd.img-2.6.18-5-amd64.bak/boot/memtest86+.bin/boot/System.map-2.6.18-5-amd64/boot/vmlinuz/boot/vmlinuz-2.6.18-5-amd64
[SNIP]
All files are now listed as suspicous.
And to make it even more worse they are printed without any whitespace.
This results in an e-mail from the cronjob which has one line and 27MB size.
(Which makes the mail viewer or editor very busy.)
when called
bash -x /usr/sbin/chkrootkit > /tmp/chkroot.out 2>&1
it delivers the following (excerp):
+ printn 'Searching for ENYELKM rootkit default files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for ENYELKM rootkit default files... '
Searching for ENYELKM rootkit default files... + '[' -d
/etc/.enyelkmOCULTAR.ko ']'
+ '[' '' '!=' t ']'
+ echo 'nothing found'
nothing found
+ '[' '' '!=' t ']'
+ printn 'Searching for common ssh-scanners default files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for common ssh-scanners default files... '
Searching for common ssh-scanners default files... ++ /usr/bin/find /tmp
/var/tmp -name vuln.txt -o -name ssh-scan -o -name pscan2
+ files=
+ '[' '' = '' ']'
+ '[' '' '!=' t ']'
+ echo 'nothing found'
nothing found
+ '[' '' '!=' t ']'
+ printn 'Searching for suspect PHP files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for suspect PHP files... '
Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name
'*.php'
+ files=
++ /usr/bin/find /tmp /var/tmp -type f -exec head -1 '{}' ';'
++ grep php
+
fileshead='//bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/
bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/
bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/
bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/
bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/
fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/
hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/ [SNIP]
Greetings
Juergen
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages chkrootkit depends on:
ii binutils 2.18.1~cvs20080103-4+b1 The GNU assembler, linker
and bina
ii debconf [debconf 1.5.21 Debian configuration
management sy
ii libc6 2.7-10 GNU C Library: Shared libraries
ii net-tools 1.60-19 The NET-3 networking toolkit
ii procps 1:3.2.7-8 /proc file system utilities
chkrootkit recommends no packages.
- -- debconf information:
* chkrootkit/run_daily: true
* chkrootkit/run_daily_opts: -q -n
* chkrootkit/diff_mode: true
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIHHl95JgLPmj5988RAkfYAJ9lAPzsVk5anZEH6LzeT1fC2gTC3QCgoZle
DvGP7cMIX2JP6BHA1cPizFU=
=88vP
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
