Hi all
Rkhunter is I believe saying that all is basically well but chkrootkit
is reporting for the first time ever something "INFECTED". I was
searching the interwebs all morning and to me it *appears* to be a flase
positive, but I don't really know. Can you please help clear this up??
(THANKS in advance)
I'll try to be brief, but the circumstances are a bit complicated: I
have a script that runs daily via anacron, which I have running after
rkhunter and chkrootkit, which checks (among other things) the
chkrootkit log, which I have configured to report differences day to day
(that is, my script checks the logs of rkhunter and chkrootkit instead
of those emailing results to me). I'm sure that as of a couple of days
ago there were no "issues" reported by either rkhunter nor chkrootkit
(it's a longer story, but I think that's safe to say). *But* last night
I also happened to run the "Software Updater", and so after that I
updated rkhunter's DB by running rkhunter --propupd, but unfortunately I
don't have any copies of the previous DB.
Here I think I should interrupt this narative and show what's going on:
This from chkrootkit:
Checking `bindshell'... INFECTED (PORTS: 4000)
and also:
eth1: PACKET SNIFFER(/sbin/dhclient[3044])
and it reports this when I run it manually:
eth1: PACKET SNIFFER(/sbin/dhclient (deleted)[3044])
Lines excerpted from rkhunter's log running it just today (note that
rkhunter --propupd was done last night so if something was compromised
then it might not be showing it):
[13:07:28] Info: Starting test name 'deleted_files'
[13:07:30] Checking running processes for deleted files [ Warning ]
[13:07:30] Warning: The following processes are using deleted files:
[13:07:30] Process: /sbin/init PID: 1 File:
/var/log/upstart/dbus.log.1
[13:07:30] Process: /usr/bin/nautilus PID: 24620 File:
/home/samashley/.local/share/gvfs-metadata/home
...
[13:07:49] Performing check for sniffer log files
[13:07:49] Checking for file '/usr/lib/libice.log' [ Not found
]
[13:07:49] Checking for file '/dev/prom/sn.l' [ Not found
]
[13:07:49] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found
]
[13:07:49] Checking for sniffer log files [ None
found ]
...
[13:07:49] Info: Starting test name 'trojans'
[13:07:49] Performing trojan specific checks
[13:07:49] Info: Using inetd configuration file '/etc/inetd.conf'
[13:07:49] Info: Found service 'imap': it is inetd whitelisted.
[13:07:49] Info: Found service 'pop3': it is inetd whitelisted.
[13:07:49] Checking for enabled inetd services [ OK ]
...
[13:08:03] Info: Starting test name 'packet_cap_apps'
[13:08:03] Checking for packet capturing applications [ Warning ]
[13:08:03] Warning: Process '/sbin/dhclient' (PID 3044) is listening on
the network.
...
(I can send the whole output if you want.)
Today I ran:
dpkg -S
and it reported several packages installed on my system that contained
dhclient (do you want me to list them?)
Next I ran debsums on each of those packages and for each thing
contained therein it returned "OK".
Is there anything else I should email? Thanks a lot for any help!!
Oops, I almost forgot to say: this is a laptop running Ubuntu Studio
12.10 quantal 64 bit. I do have quite a few packages installed, and have
lost track of which might conceivably be "listening" but I also have ufw
and gufw and have installed some firewall rules that I got from a post
somewhere in these forums (have forgotten exactly where), mainly I've
tried to block most incoming traffic except what I use but don't block
outgoing. In case it's important: I have to connect to the interwebs via
a USB dongle broadband device (aka "surf stick"). Rootkit Hunter 1.4.0.
And another question if I may: I have edited /etc/rkhunter.conf.local to
enable all checks except "apps" and yet when I run rkhunter manually it
says:
Checking for hidden ports [ Skipped ]
It seems to me it would be nice if that test were enabled but I don't
seem to know how to make it so.
Thanks again,
Sam
--
http://www.fastmail.fm - mmm... Fastmail...
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
