Quoting Optimus ([EMAIL PROTECTED]): > I think my Linux Mandrake 9.0 is infected with a new rootkit.
Doubt. Detailed below. > I currently use chkrootkit version 0.41-1mdk. A scan turns up negative, but I > find interesting dates and entries in my /dev directory Which entries? Yes, something wrote some screwy dates. That doesn't support your conclusion. > Here are other errors that I've encountered with msec: > Sep 9 23:01:02 desktop msec: set variable CHKROOTKIT_CHECK to no in > /var/lib/msec/security.conf Did you? That doesn't support your conclusion, either. > Here are others: > Sep 11 11:39:30 desktop depmod: *** Unresolved symbols in > /lib/modules/2.4.19-16mdk/kernel/arch/i386/mki-adapter/mki-adapter.o Nor that. > How do I remove this rootkit? What rootkit? OK, it's time to talk about what a rootkit is. A rootkit is a set of replacements for common system utilites that an intruder installs on your system to conceal his presence and activities from you. It is _not_ an attack tool, but rather a post-attack concealment tool. > I've been hit by this rootkit before.... Accordingly, you cannot be "hit" by a rootkit. A rootkit (if any) is not the path by which an attacker enters your system. It's an aftereffect that often follows a successful breakin. > ...and no matter how many times I repartition and reinstall the OS, > the rootkit still appears. What rootkit? Moreover, and more to the immediate point, what break-in? If you have reason to think you've suffered break-in, now or in the past, you haven't yet presented it. Are you running software with known vulnerabilities, particularly network daemons accessible from remote? (Do you apply all available software updates, especially those for network daemons, _before_ exposing your machine to potentially hostile networks?) Do you have remote users, including yourself? Do you or any of those users either re-use passwords on multiple systems, or gain remote access from one or more host that might be compromised? But _please start_ with the basic question of why you think there's a security compromise. We haven't heard it yet. > This rootkit runs until such time it decides > to write random garbage to my data and takes down the hard drive with a > "missing operating system" message at bootup. 1. That would not be a rootkit. 2. How do you know that some intruder-installed system does this? 3. When you boot maintenance media, what do you find on the hard drive when that effect happens? -- Cheers, The cynics among us might say: "We laugh, Rick Moen monkeyboys -- Linux IS the mainstream UNIX now! [EMAIL PROTECTED] MuaHaHaHa!" but that would be rude. -- Jim Dennis -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
