The console file itself looks like legit config file dealing with fonts etc. here's a reference: http://susefaq.sourceforge.net/faq/admin2.html So you mean that inspite the message from the OSSEC there's actually no load.zk present in /etc/sysconfig/ ? Strange indeed. The second trigger for the Zk rootkit is presence of usr/bin/run executable, check if it exists. To double check you may run chkrootkit www.chkrootkit.org , in fact it looks for the same triggers (load.zk and usr/bin/run) .
BTW An interesting rootkit - there're dozens of requests on Google for more info about it and no answers so far. And here comes my question - Does anyone have an idea where to look for it (in any form - binary,source code) ? ----- Original Message ----- > I'm using a preview version of SUSE SLED 10. > Here is the alert: > <clip> > > ** Alert 1154021500.0: mail > 2006 Jul 27 12:31:40 Suse10-1->rootcheck > Rule: 14 (level 8) -> 'Rootkit detection engine message' > Src IP: (none) > User: (none) > Rootkit 'ZK' detected by the presence of file > '/etc/sysconfig/console/load.zk'. > > </clip> > > The contents of the file (it's not a directory) > at /etc/sysconfig/console are: > > <clip> > > ## Path: Hardware/Console > ## Description: Text console settings (see also Hardware/Keyboard) > ## Type: string > ## Default: "" > ## ServiceRestart: kbd > # > # Console settings. > # Note: The KBD_TTY setting from Hardware/Keyboard (sysconfig/keyboard) > # also applies for the settings here. > # > # Load this console font on bootup: > # (/usr/share/kbd/consolefonts/) > # > CONSOLE_FONT="lat9w-16.psfu" > > ## Type: string > ## Default: "" > # > # Some fonts come without a unicode map. > # (.psfu fonts supposedly have it, others often not.) > # You can then specify the unicode mapping of your font > # explicitly. (/usr/share/kbd/unimaps/) > # Normally not needed. > # > CONSOLE_UNICODEMAP="" > > ## Type: string > ## Default: "" > # > # Most programs output 8 bit characters, so you need a table to > # translate those characters into unicode. That one can be specified > # here. (/usr/share/kbd/consoletrans/) > # (Note: If your console is in utf-8 mode you don't need this.) > # If your code does not use a unicode mapping at all (because you > # e.g. explicitly specified UNICODEMAP="none") you may circumvent > # the translation via unicode, but load a map which directly maps > # 8 bit output of your program to a font position. > # > CONSOLE_SCREENMAP="trivial" > > ## Type: string > ## Default: "" > # > # for some fonts the console has to be initialized with CONSOLE_MAGIC. > # CONSOLE_MAGIC can be empty or have the values "(B", ")B", "(K" or > ")K". > # Normally not needed (automatically handled by setfont). > # > CONSOLE_MAGIC="(K" > ## Path: System/Console/Framebuffer > ## Description: Framebuffer configuration > ## Type: string > ## Default: "" > # > # You may want to load a framebuffer display driver into your kernel > # in order to be able to change graphics modes etc. with fbset in > # console mode. > # > # Notes: Most people won't enter anything here, as: > # * it won't work if you have vesafb already active > # * its advantageous to have fb support compiled into your kernel > # * Some XFree86 drivers (especially in XFree86-4.x) don't work > # too well, if you enable framebuffer text mode. > # > # Example: > # FB_MODULES="matroxfb_base vesa=0x182 fv=85 matroxfb_maven > matroxfb_crtc2" > # > FB_MODULES="" > > ## Type: string > ## Default: "" > # > # In case your kernel has framebuffer support (or you loaded the > framebuffer > # support into your kernel as a module above), you may want to change > the > # resolution or other parameters. This is done by secifying the > parameters > # to fbset. Use a mode from /etc/fb-modes and additional parameters as > # -a, -depth <BPP>, -vyres <VYRES>, ... (See fbset manpage and/or fbset > -h). > # > # Notes: > # * vesafb does not (currently) support changing the display mode > # * BEWARE! Don't set modes your monitor can't do. Watch out for the > maximum > # horizontal frequency. Old monitors might even be damaged if you > exceed > # their capabilities. > # > # Example: > # FBSET_PARAMS="-a -depth 16 768x576-90 -vyres 10240" > # > FBSET_PARAMS="" > > # Encoding used for output of non-ascii characters. > # > CONSOLE_ENCODING="UTF-8" > > </clip> > > Thanks, > Joe > > > > > > > > On Sun, 2006-07-30 at 19:51 -0300, Daniel Cid wrote: > > Which operating system are you using (uname -a)? I never saw any > > system using this > > file load.zk, but it can be a false positive (it happened before with > > other files). Can you also show us the content of it? > > > > Thanks for the report. > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 7/30/06, Joe Barr <[EMAIL PROTECTED]> wrote: > > > > > > > > > Has anyone seen false positives on a ZK Rootkit alert referring > > > to /etc/sysconfig/console/load.zk? I've gotten it twice on a brand new > > > installation, with nothing having been done other than to install > > > OSSEC-HIDS. > > > > > > > > > > >
