PDA

View Full Version : chkrootkit on FC6



JoeyJoJoe
29th October 2006, 11:31 AM
I've just installed FC6 and put chkrootkit on (I tried to stick rkhunter on but it doesn't show up, maybe someone will make it up for core 6 later...). Anyway, the real issue is that when I ran chkrootkit I got a really strange entry


Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security

I wonder if this is a false possitive, it does still show up but I wouldn't have thought that I've done anything risky, just installed through yum and looked at a few sites on the net. Does anyone else have this entry, or know what it might be?

Thanks

Zigzagcom
29th October 2006, 12:18 PM
You have to run rkhunter from the command line:

rkhunter

JoeyJoJoe
29th October 2006, 12:22 PM
yeah, I've used it before, I meant that I couldn't find it in yum, I think that the packages will need to be re-built for core 6, I'll just wait on that one.

I don't suppose you've seen anything like that from chkrootkit before?

Seve
29th October 2006, 12:34 PM
yeah, I've used it before, I meant that I couldn't find it in yum, I think that the packages will need to be re-built for core 6, I'll just wait on that one.

I don't suppose you've seen anything like that from chkrootkit before?
Hello:
I believe chkrootkit is in the extras repo? or are you looking for something else?

yum info chkrootkit
Loading "installonlyn" plugin
Setting up repositories
Reading repository metadata in from local files
Available Packages
Name : chkrootkit
Arch : i386
Version: 0.47
Release: 1.fc6
Size : 277 k
Repo : extras
Summary: Tool to locally check for signs of a rootkit
Description:
chkrootkit is a tool to locally check for signs of a rootkit.
It contains:

* chkrootkit: shell script that checks system binaries for
rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.


Seve

JoeyJoJoe
29th October 2006, 01:47 PM
yeah, i'm using that chkrootkit, it's just that entry which I mentioned above seems to suggest that there is something which shouldn't be there, the bit here is from the output it gives, usually everything (pretty much) says "nothing found", but here it reports that OBSD rk v1 is not "not found"... sometimes there can be consistent false possitves, but because this is the first (and hopefully only) install of FC6 I've done I don't know if it is "normal"...


Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found


If anyone else has run it and found this entry it would lead me to belive that it is just a false possitive, if you want to install it and give it a go it would help me (and maybe you, it's pretty good)

Cheers,

Zigzagcom
29th October 2006, 08:19 PM
Here you are:

http://ubuntuforums.org/showthread.php?p=1651230

JoeyJoJoe
29th October 2006, 08:30 PM
thanks, thats a help, and as a plus I've found out that the documentation contains a list of pre-selected fasle possitives (I kind of wish they would try and get rid of them, but maybe it's impossible)...

Anywho, Its good to have pinned it down

Cheers,