results from chkrootkit i don't understand - Security

This is a discussion on results from chkrootkit i don't understand - Security ; hello NG, this is the first i'm posting here. I installed chkrootkit on a linux PC. I'm new to chkrootkit. I installed it (0.46a) on a SuSE-Linux 9.1, kernel 2.6.4-52-smp. While running the first time, i got the following (possible) ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: results from chkrootkit i don't understand

  1. results from chkrootkit i don't understand

    hello NG,
    this is the first i'm posting here. I installed chkrootkit on a linux
    PC.
    I'm new to chkrootkit. I installed it (0.46a) on a SuSE-Linux 9.1,
    kernel 2.6.4-52-smp. While running the first time, i got the following
    (possible) detections: (This is just an excerpt)

    ....
    Searching for anomalies in shell history files... Warning:
    `//root/workspace/.metadata/.plugins/org.eclipse.core.resources/.history'
    is linked to another file
    ....
    Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)
    ....
    Checking `chkutmp'... The tty of the following user process(es) were
    not found in /var/run/utmp !
    ! RUID PID TTY CMD
    ! dietrich 17481 pts/8407 /bin/bash
    ....

    This is more about the process with no tty:
    pc51332:/opt/chkrootkit-0.46a # ps aux|grep 17481
    dietrich 17481 0.0 0.0 4028 1776 pts/8407 Ss+ Apr19 0:00
    /bin/bash


    I don't know what this means. I think it's not severe, but i like to
    know what it is.
    What means the ouput of "Checking 'sniffer' " ?
    I'm just a bit concerned about this process without a tty. What does
    that mean ?

    Can anyone help me ?
    Thank you very much in advance.

    Bernd


  2. Re: results from chkrootkit i don't understand

    On 27 Apr 2006 02:18:06 -0700, bernd.lentes@arcor.de wrote:

    >hello NG,
    >Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)
    >
    >Bernd


    Don't know about the other things, but the message above is OK. I
    once tracked down what causes it to appear, said to self, "So why is
    chkrootkit complaining?" and forgot about it.

    You can run
    netstat -tulnp
    and
    lsof -Pi
    and check out /proc

    and decide for yourself. You can also run a different program (eg
    RKHunter), but the best of these "rootkit finders" are really just
    helpers. Use a tool but depend on your brain
    --
    buck


  3. Re: results from chkrootkit i don't understand


    buck schrieb:

    > Don't know about the other things, but the message above is OK. I
    > once tracked down what causes it to appear, said to self, "So why is
    > chkrootkit complaining?" and forgot about it.


    That's what i also found out while "googling".

    > You can run
    > netstat -tulnp
    > and
    > lsof -Pi
    > and check out /proc


    I did. I did not know these parameters for netstat and lsof, very
    helpful. I saw
    only connections i know and understand.

    > and decide for yourself. You can also run a different program (eg
    > RKHunter), but the best of these "rootkit finders" are really just
    > helpers. Use a tool but depend on your brain


    I installed rootkithunter and let it run. It found some other stuff,
    but i have the impression, it is not severe. RKhunter did not find
    anything of the things chkrootkit complained about.
    Do have any ideas about this message with tty and bash ? Can this be a
    zombie process ?

    Thanks, Bernd


  4. Re: results from chkrootkit i don't understand

    On 28 Apr 2006 12:53:44 -0700, bernd.lentes@arcor.de wrote:

    >
    >buck schrieb:
    >
    >> Don't know about the other things, but the message above is OK. I
    >> once tracked down what causes it to appear, said to self, "So why is
    >> chkrootkit complaining?" and forgot about it.

    >
    >That's what i also found out while "googling".
    >
    >> You can run
    >> netstat -tulnp
    >> and
    >> lsof -Pi
    >> and check out /proc

    >
    >I did. I did not know these parameters for netstat and lsof, very
    >helpful. I saw
    >only connections i know and understand.
    >
    >> and decide for yourself. You can also run a different program (eg
    >> RKHunter), but the best of these "rootkit finders" are really just
    >> helpers. Use a tool but depend on your brain

    >
    >I installed rootkithunter and let it run. It found some other stuff,
    >but i have the impression, it is not severe. RKhunter did not find
    >anything of the things chkrootkit complained about.
    >Do have any ideas about this message with tty and bash ? Can this be a
    >zombie process ?
    >
    >Thanks, Bernd


    If I get a chance later, I'll look at the tty and bash stuff again.
    Meanwhile, what does top say about zombies?
    --buck

  5. Re: results from chkrootkit i don't understand

    bernd.lentes@arcor.de wrote:

    > ...
    > Checking `chkutmp'... The tty of the following user process(es) were
    > not found in /var/run/utmp !
    > ! RUID PID TTY CMD
    > ! dietrich 17481 pts/8407 /bin/bash
    > ...
    >
    > This is more about the process with no tty:
    > pc51332:/opt/chkrootkit-0.46a # ps aux|grep 17481
    > dietrich 17481 0.0 0.0 4028 1776 pts/8407 Ss+ Apr19 0:00
    > /bin/bash
    >


    late reply but i was just scrolling by and saw no one answered you.

    well try typing "w" or "who" and see if you get a list of users. if you
    get none, probably that you utmp file has been deleted (maybe by you?
    maybe not) so its hard to say if the warning is important or not.

    if it shows some users, but not dietrich, probably someone or dietrich
    himself is trying to hide (poorly) that he's on a shell on the system
    and uses a tty.
    he maybe logged on and then erased the entry, but his processes are
    still there.

    That's all

+ Reply to Thread