Hi I am on a Debian derivative called sidux which is not a server
recommened product as its sid based. But Strange result for version
tarball 1.3.6 .....Xzibit
1) Rootkit checks...
Rootkits checked : 243
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
2) In the cli check and in the log ... not found under the rootkit section
[14:19:26] Checking for Xzibit Rootkit...
[14:19:26] Checking for file '/dev/dsx' [ Not found ]
[14:19:26] Checking for file '/dev/caca' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/linsniffer' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/logclear' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/sense' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/sl2' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/sshdu' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/s' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/ssh_host_key' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/ssh_random_seed' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/sl2new.c' [ Not found ]
[14:19:26] Checking for file '/dev/ida/.inet/tcp.log' [ Not found ]
[14:19:26] Checking for file '/home/httpd/cgi-bin/becys.cgi' [ Not found ]
[14:19:26] Checking for file '/usr/local/httpd/cgi-bin/becys.cgi' [
Not found ]
[14:19:26] Checking for file '/usr/local/apache/cgi-bin/becys.cgi' [
Not found ]
[14:19:26] Checking for file '/www/httpd/cgi-bin/becys.cgi' [ Not found ]
[14:19:26] Checking for file '/www/cgi-bin/becys.cgi' [ Not found ]
[14:19:26] Checking for directory '/dev/ida/.inet' [ Not found ]
[14:19:26] Xzibit Rootkit [ Not found ]
3) log shows 2 entries which may account for the 2 hits in summary
[14:19:38] Warning: Checking for possible rootkit strings [ Warning ]
[14:19:38] Found string 'hdparm' in file
'/etc/init.d/bootlogd'. Possible rootkit: Xzibit Rootkit
[14:19:38] Found string 'hdparm' in file
'/etc/init.d/checkroot.sh'. Possible rootkit: Xzibit Rootkit
4) cat S04bootlogd | grep hdparm
# X-Start-Before: hostname keymap keyboard-setup procps pcmcia
hwclock hwclockfirst hdparm hibernate-cleanup lvm2
4 (b) cat S08checkroot.sh | grep hdparm
# Should-Start: keymap hwclockfirst hdparm bootlogd
5) My inference ....false positives. I can mail the scripts in
/etc/rcS.d that relate to this but atm I am happy.
FYI......If they are rootkits, I would have hoped the check in
rootkit section would have detected them?
regards
aus9
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
