Re: [cobalt-security] Running Rootkit and the result

[Dogsbody <dan@xxxxxxxxxxxx>]

Hi Robbert,

I would not be too worried about the .packlist files.  If you are really worried
about the files have a look at them to see what they are about.  I have a number
of .packlist files on my Qube 3 and they just look like installation logs to
me.  I run the output of chkrootkit through a perl scrip which filters out the
items that are ok and also the files that show up each time.

Dan
dan@xxxxxxxxxxxx
http://www.dogsbody.org


Robbert Hamburg wrote:
> 
> Last night I ran chkrootkit-0.33 for the first time after the hints bill
> irwin gave.
> 
> >One of
> >the best things you can do is grab the chkrootkit.tar.gz file
> >ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz and check your
> >system out.
> 
> >tar -xvzf chkrootkit.tar.gz
> >cd into the directory
> >chmod 755 chkrootkit
> >./chkrootkit and let it run.
> 
> There was one result making me suspisous can someone please clarify the
> rules below:
> 
> Searching for Ambient's rootkit (ark) default files and dirs... Nothing
> found
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/perl5/5.00503/i386-linux/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> 
> The rest of the result came out as nothing found or Not vulnerable. Only the
> lines above I don't really understand.
> 
> Please help me out !
> 
> Robbert
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security