Results 1 to 10 of 10

Thread: chkrootkit strange results under opensuse

  1. #1

    Question chkrootkit strange results under opensuse

    Hi,

    I'm a long term ubuntu user who is fed up of Ubuntu Hardy, so am trying opensuse 11.

    Just run chkrootkit and got this back - which is far more than i'd normally get under ubuntu

    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Simple/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/XPath/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Writer/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Bare/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/FBSet/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/SPP/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/SaX/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Purple/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Pidgin/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/File/Tail/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/X500/DN/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/LWP/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Bootloader/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/ycp/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Crypt/SmbHash/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Digest/MD4/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XFree/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/PLog/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/RPC/XML/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Config/Crontab/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/DBD/SQLite/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/TimeDate/.packlist /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/CVT/.packlist /usr/lib/perl5/5.10.0/i586-linux-thread-multi/.packlist

    Any ideas? Anything to worry about?

    Thanks

  2. #2

    Default Re: chkrootkit strange results under opensuse

    For what its worth ran rkhunter, and the issues it highlighted are


    [20:43:48] Checking for passwd file changes [ Warning ]
    [20:43:48] Warning: Unable to check for passwd file differences: no copy of the passwd file exists.
    [20:43:48] Info: Starting test name 'group_changes'
    [20:43:48] Checking for group file changes [ Warning ]
    [20:43:49] Warning: Unable to check for group file differences: no copy of the group file exists.


    [20:43:50] Checking /dev for suspicious file types [ Warning ]
    [20:43:50] Warning: Suspicious file types found in /dev:
    [20:43:50] /dev/shm/pulse-shm-3921141793: data
    [20:43:50] /dev/shm/pulse-shm-1887517512: data
    [20:43:50] /dev/shm/sysconfig/config-wlan0: ASCII text
    [20:43:50] Checking for hidden files and directories [ Warning ]
    [20:43:50] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression

    Thanks

  3. #3

    Default Re: chkrootkit strange results under opensuse

    What version of Suse and is this a clean install I honestly suspect they maybe false positives.

    Though it is a little strange you have a hidden one in man, but I still think they're false positives. You may need to do the investigating look at the files referenced.

    Once you have ruled them out I wouldn't concern your self I would be more concerned had you found a rootkit.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  4. #4

    Default Re: chkrootkit strange results under opensuse

    Clarity

    False positives is a bit incorrect they are warnings. I get some on another distro in my case because they're scripts rather than binaries. Checking them with cat confirms they're not malicious.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  5. #5

    Default Re: chkrootkit strange results under opensuse

    This is opensuse 11 and a clean install yesterday. Only installing software from the repos provided with the exception of adding Index of /repositories/home:/lrupp/openSUSE_11.0 to get rkhunter....

    So nothing to worry about?

    THanks

  6. #6

    Default Re: chkrootkit strange results under opensuse

    I certainly wouldn't of thought you have anything to worry about. I suspect pulse** is part of pulseaudio which is relatively new and probably hasn't been parsed out yet.

    dev/shm is temp iirc really wouldn't of thought you would need to worry about anything I suspect a later version will get rid of these warnings.

    The others are probably just being looked for in a different place note they say missing.

    You can try googling the warnings if you're really are super paranoid, but I honestly wouldn't be to concerned.

    Also this is rkhunter mainly, in regards to ckrootkit again not sure there is much to worry about they all seem to be perl libs and you've implied they came from reputable sources.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  7. #7

    Default Re: chkrootkit strange results under opensuse

    Grand thank you

  8. #8
    Tilman Schmidt NNTP User

    Default Re: chkrootkit strange results under opensuse

    yeleek schrieb:
    >
    > Just run chkrootkit and got this back - which is far more than i'd
    > normally get under ubuntu
    >
    > Searching for suspicious files and dirs, it may take a while...
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Parse/RecDescent/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Parser/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Simple/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/XPath/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Writer/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XML/Bare/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/HTML/Parser/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/HTML/Tagset/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/FBSet/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/URI/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/SPP/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Term/ReadKey/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Locale/gettext/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/SaX/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Net/Daemon/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Purple/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Pidgin/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/File/Tail/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/X500/DN/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/LWP/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Bootloader/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/ycp/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Crypt/SSLeay/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Crypt/SmbHash/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Digest/MD4/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Digest/SHA1/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/DBI/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/XFree/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/PLog/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/RPC/XML/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/RPC/PlServer/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/Config/Crontab/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/DBD/SQLite/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/TimeDate/.packlist
    > /usr/lib/perl5/vendor_perl/5.10.0/i586-linux-thread-multi/auto/CVT/.packlist
    > /usr/lib/perl5/5.10.0/i586-linux-thread-multi/.packlist


    Funny. Looks like chkrootkit sees .packlist files as suspicious. Which they aren't.
    Just have a look at them yourself, they're plain text. :-)

    Maybe some rootkit uses a .packlist, but many non-rootkit softwares do so too.

    HTH
    T.

  9. #9

    Default Re: chkrootkit strange results under opensuse

    It's probably the fact they're hidden rather than packlist. At least my presumption.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  10. #10
    Tilman Schmidt NNTP User

    Default Re: chkrootkit strange results under opensuse

    yeleek schrieb:
    > For what its worth ran rkhunter, and the issues it highlighted are
    >
    >
    > [20:43:48] Checking for passwd file changes [ Warning
    > ]
    > [20:43:48] Warning: Unable to check for passwd file differences: no
    > copy of the passwd file exists.
    > [20:43:48] Info: Starting test name 'group_changes'
    > [20:43:48] Checking for group file changes [ Warning
    > ]
    > [20:43:49] Warning: Unable to check for group file differences: no copy
    > of the group file exists.


    That would be normal if you ran rkhunter for the first time. In that
    case, obviously there can be no previous state to compare against.

    > [20:43:50] Checking /dev for suspicious file types [ Warning
    > ]
    > [20:43:50] Warning: Suspicious file types found in /dev:
    > [20:43:50] /dev/shm/pulse-shm-3921141793: data
    > [20:43:50] /dev/shm/pulse-shm-1887517512: data
    > [20:43:50] /dev/shm/sysconfig/config-wlan0: ASCII text


    rkhunter considers non-device files in /dev as suspicious, which might
    have been sensible before the arrival of udev, though one should check
    the files in question before panicking, anyway. But nowadays /dev is
    a mounted pseudo filesystem, so the files below it are not plain files
    even if it looks as if they were.

    > [20:43:50] Checking for hidden files and directories [ Warning
    > ]
    > [20:43:50] Warning: Hidden file found:
    > /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max
    > compression


    Ooo-kay. Well, rkhunter complaining about that makes me smile.
    ".k5login.5.gz" is the manpage for the hidden file ".k5login".
    Type "man .k5login" to see what I mean. Technically it is indeed
    a hidden file (it starts with a dot), but I wouldn't be overly
    concerned by that - a man page is hardly a sign of a rootkit.

    HTH
    T.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •