This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

Rootkit

alpha1

Mon Jan 25, 2016 5:12:25 pm

Hi Guys, A Happy New Year to you all.
Just a quick one.
Notice a few issues program starting up etc.
I have just ran the following Program "chkrootkit"

# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected

and found the following can you best advised here please:-
1.
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.7.0-openjdk-i386.jinfo /usr/lib/pymodules/python2.7/.path

2.
Searching for Suckit rootkit... Warning: /sbin/init I

Everything elce is clear no infections
I assume i have an infection?
Question where do i go from here?
what commands do i need to run to remove the above?

Swarfendor437

Mon Jan 25, 2016 8:41:23 pm

I should really get my house in order - i am like the builder who does a good job for others, yet my entrance gate is hanging off its hinges (like me! LOL! :lol: :lol:)

If memory serves me correctly, Ubuntu based distros should use RKHunter - guide here:

https://help.ubuntu.com/community/RKhunter

Chkrootkit was written for a different kind of GNU/Linux and that is why you are getting 'warnings' because those places won't exist in a non-ubuntu/debian release - that said if you read that article, rkhunter can have similar false positives.

;) :D

alpha1

Tue Jan 26, 2016 4:37:15 pm

Swarfendor437 wrote:I should really get my house in order - i am like the builder who does a good job for others, yet my entrance gate is hanging off its hinges (like me! LOL! :lol: :lol:)

If memory serves me correctly, Ubuntu based distros should use RKHunter - guide here:

https://help.ubuntu.com/community/RKhunter

Chkrootkit was written for a different kind of GNU/Linux and that is why you are getting 'warnings' because those places won't exist in a non-ubuntu/debian release - that said if you read that article, rkhunter can have similar false positives.

;) :D


Many Thanks for your help here, sorry that i used the wrong Disto. here. should have been more carefull.

Nevertheless this has shown up the following:- What are you r thoughts here ?


$ sudo rkhunter --checkall
[sudo] password for falcon:
[ Rootkit Hunter version 1.4.0 ]

Checking system commands...


/usr/sbin/chroot [ Warning ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide-tcp [ OK ]
/usr/sbin/unhide-linux [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ Warning ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ Warning ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ Warning ]
/usr/bin/dpkg [ Warning ]
/usr/bin/dpkg-query [ Warning ]
/usr/bin/du [ Warning ]
/usr/bin/env [ Warning ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ Warning ]
/usr/bin/head [ Warning ]
/usr/bin/id [ Warning ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/md5sum [ Warning ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ Warning ]
/usr/bin/sha1sum [ Warning ]
/usr/bin/sha224sum [ Warning ]
/usr/bin/sha256sum [ Warning ]
/usr/bin/sha384sum [ Warning ]
/usr/bin/sha512sum [ Warning ]
/usr/bin/size [ OK ]
/usr/bin/sort [ Warning ]
/usr/bin/stat [ Warning ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ Warning ]
/usr/bin/test [ Warning ]
/usr/bin/top [ OK ]
/usr/bin/touch [ Warning ]
/usr/bin/tr [ Warning ]
/usr/bin/uniq [ Warning ]
/usr/bin/users [ Warning ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ Warning ]
/usr/bin/wget [ OK ]


/bin/cat [ Warning ]
/bin/chmod [ Warning ]
/bin/chown [ Warning ]
/bin/cp [ Warning ]
/bin/date [ Warning ]
/bin/df [ Warning ]
/bin/dmesg [ OK ]
/bin/echo [ Warning ]
/bin/ed [ OK ]


/bin/ls [ Warning ]
/bin/lsmod [ OK ]
/bin/mktemp [ Warning ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ Warning ]
/bin/netstat [ OK ]
/bin/ping [ OK ]
/bin/ps [ OK ]
/bin/pwd [ Warning ]
/bin/readlink [ Warning ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ Warning ]
/bin/uname [ Warning ]
/bin/which [ OK ]
/bin/kmod [ OK ]
/bin/dash [ OK ]

[Press <ENTER> to continue]


Performing check of known rootkit files and directories
Non Found
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]


Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
Files checked: 138
Suspect files: 43

Rootkit checks...
Rootkits checked : 292
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 1 minute and 57 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Swarfendor437

Tue Jan 26, 2016 10:10:33 pm

Nothing to worry about! :

http://ubuntuforums.org/showthread.php?t=2177662

;) :D

Please be sure to read that thread link above in its entirety, including how to update rkhunter! :D