got another report from chkroot this morning, all seems to be ok. is there an antivirus in .pkg format I may be able to obtain?. im new to Linux sometimes I don't understand some options when trying to compile, make, install, whatever some programs. I know I have allot of reading to do but I would like to see if I can get a temporary fix. ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not found Checking `traceroute'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlis t /usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap /usr/lib/php/.registry Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc eth1 is not promisc Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted -----Original Message----- From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of V Jordan Sent: Friday, March 07, 2003 7:50 PM To: Cobalt Securoty Mailing List Subject: [cobalt-security] I think this may be an issue chkroot gave this email message. `bindshell'... not infected Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found how would I verify if this is true? [root sbin]# ./chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 1: not in ps output CWD 1: / EXE 1: /sbin/init PID 2: not in ps output CWD 2: / EXE 2: / PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / PID 7: not in ps output CWD 7: / EXE 7: / PID 8: not in ps output CWD 8: / EXE 8: / PID 9: not in ps output CWD 9: / EXE 9: / PID 342: not in ps output CWD 342: / EXE 342: /sbin/syslogd PID 351: not in ps output CWD 351: / EXE 351: /sbin/klogd PID 381: not in ps output CWD 381: /var/spool EXE 381: /usr/sbin/crond PID 393: not in ps output CWD 393: / EXE 393: /usr/sbin/inetd PID 422: not in ps output CWD 422: /etc/named EXE 422: /usr/sbin/named PID 427: not in ps output CWD 427: / EXE 427: /usr/sbin/sshd PID 437: not in ps output CWD 437: / EXE 437: /usr/sbin/httpd.admsrv PID 459: not in ps output CWD 459: / EXE 459: /usr/sbin/httpd.admsrv PID 526: not in ps output CWD 526: / EXE 526: /usr/bin/postgres PID 591: not in ps output CWD 591: /home/chiliasp/asp-apache-3000 EXE 591: /home/chiliasp/asp-apache-3000/caspd PID 592: not in ps output CWD 592: /home/chiliasp/asp-apache-3000 EXE 592: /home/chiliasp/asp-apache-3000/caspd PID 593: not in ps output CWD 593: /home/chiliasp/asp-apache-3000 EXE 593: /home/chiliasp/asp-apache-3000/caspd PID 595: not in ps output CWD 595: /home/chiliasp/asp-apache-3000 EXE 595: /home/chiliasp/asp-apache-3000/caspeng PID 634: not in ps output CWD 634: /home/chiliasp/asp-apache-3000 EXE 634: /home/chiliasp/asp-apache-3000/caspeng PID 635: not in ps output CWD 635: /home/chiliasp/asp-apache-3000 EXE 635: /home/chiliasp/asp-apache-3000/caspeng PID 637: not in ps output CWD 637: /home/chiliasp/asp-apache-3000 EXE 637: /home/chiliasp/asp-apache-3000/caspeng PID 639: not in ps output CWD 639: /home/chiliasp/asp-apache-3000 EXE 639: /home/chiliasp/asp-apache-3000/caspeng PID 643: not in ps output CWD 643: /home/chiliasp/asp-apache-3000 EXE 643: /home/chiliasp/asp-apache-3000/caspeng PID 646: not in ps output CWD 646: /home/chiliasp/asp-apache-3000 EXE 646: /home/chiliasp/asp-apache-3000/caspeng PID 648: not in ps output CWD 648: / EXE 648: /bin/bash PID 672: not in ps output CWD 672: / EXE 672: /usr/bin/perl PID 679: not in ps output CWD 679: /home/mysql EXE 679: /usr/sbin/mysqld PID 684: not in ps output CWD 684: /home/mysql EXE 684: /usr/sbin/mysqld PID 685: not in ps output CWD 685: /home/mysql EXE 685: /usr/sbin/mysqld PID 700: not in ps output CWD 700: / EXE 700: /sbin/lcdsleep PID 724: not in ps output CWD 724: / EXE 724: /usr/sbin/portsentry PID 726: not in ps output CWD 726: / EXE 726: /usr/sbin/portsentry PID 760: not in ps output CWD 760: / EXE 760: /sbin/getty PID 797: not in ps output CWD 797: / EXE 797: /usr/sbin/httpd.admsrv PID 802: not in ps output CWD 802: / EXE 802: /usr/sbin/httpd.admsrv PID 1008: not in ps output CWD 1008: / EXE 1008: /usr/sbin/httpd PID 1009: not in ps output CWD 1009: / EXE 1009: /usr/sbin/httpd PID 1010: not in ps output CWD 1010: / EXE 1010: /usr/sbin/httpd PID 1011: not in ps output CWD 1011: / EXE 1011: /usr/sbin/httpd PID 1012: not in ps output CWD 1012: / EXE 1012: /usr/sbin/httpd PID 1632: not in ps output CWD 1632: / EXE 1632: /usr/sbin/httpd PID 2126: not in ps output CWD 2126: / EXE 2126: /usr/sbin/httpd PID 5432: not in ps output CWD 5432: / EXE 5432: /usr/sbin/sshd PID 5453: not in ps output CWD 5453: / EXE 5453: /usr/sbin/sshd PID 5454: not in ps output CWD 5454: /usr/local/sbin EXE 5454: /bin/bash PID 7875: not in ps output CWD 7875: /usr/local/sbin EXE 7875: /bin/su PID 7876: not in ps output CWD 7876: /usr/local/sbin EXE 7876: /bin/bash PID 7898: not in ps output CWD 7898: /usr/local/sbin EXE 7898: /bin/bash PID 7929: not in ps output CWD 7929: /usr/local/sbin EXE 7929: /bin/bash PID 7930: not in ps output CWD 7930: /usr/local/sbin EXE 7930: /bin/bash PID 7931: not in ps output CWD 7931: /proc/7931 EXE 7931: /usr/local/sbin/chkproc PID 9845: not in ps output CWD 9845: /home/spool/mqueue EXE 9845: /usr/sbin/sendmail PID 23073: not in ps output CWD 23073: / EXE 23073: /usr/sbin/httpd You have 57 process hidden for ps command [root sbin]# V Jordan MSL Internet Solutions Box 154 Davidsville Pa 15928 814-471-8195 http://www.mslnetworks.net
Attachment:
smime.p7s
Description: S/MIME cryptographic signature