In my pursuit of what might cause the boot problems I described in my previous post (my questions remained unanswered though), I ran several checks for rootkits and other malware using rkhunter and chrootkit.
No rootkits were found by either.
I presume that the warnings in the log file are created by updated file versions installed during the most recent updates to 9.10 Beta.
I would appreciate any information on the warnings. My own knowledge of Linux is not solid enough to allow me to make a reliable assessment of the situation.
If it would shed light on the problems raised in my previous post about possible bugs in the updated Beta version, I would be even happier.
Here are selected warnings. The actual list is much longer.
" /bin/kill [ Warning ]
[23:27:07] Warning: The file properties have changed:
[23:27:07] File: /bin/kill
[23:27:07] Current hash: 64b7154dafa4bbc514268619f9cdfcf6bb7a91f3
[23:27:08] Stored hash : b97af85a826f9fc2b361f758bf8547015472bf36
[23:27:08] Current inode: 528324 Stored inode: 528352
[23:27:08] Current size: 17956 Stored size: 17896
[23:27:08] Current file modification time: 1253051200
[23:27:08] Stored file modification time : 1244041642
. . .
/bin/pwd [ Warning ]
[23:27:12] Warning: The file properties have changed:
[23:27:12] File: /bin/pwd
[23:27:13] Current hash: 249137c86a7cebdac853bf141f680278cd781fa7
[23:27:13] Stored hash : aacfb6255a1dcde1b521097c070c5f0349fca574
[23:27:13] Current inode: 533634 Stored inode: 528404
[23:27:13] Current size: 38528 Stored size: 38468
[23:27:13] Current file modification time: 1254827258
[23:27:13] Stored file modification time : 1244202425
. . .
/usr/bin/users [ Warning ]
[23:27:36] Warning: The file properties have changed:
[23:27:36] File: /usr/bin/users
[23:27:36] Current hash: d2902772b0e2115b8163aa5d58c98b739c02ee13
[23:27:36] Stored hash : b4261079d129815cd83de2cafd02eca1bb8db0c2
[23:27:36] Current inode: 65159 Stored inode: 65170
[23:27:36] Current size: 34396 Stored size: 34336
[23:27:36] Current file modification time: 1254827258
[23:27:36] Stored file modification time : 1244202425
. . .
/usr/sbin/chroot [ Warning ]
[23:27:51] Warning: The file properties have changed:
[23:27:51] File: /usr/sbin/chroot
[23:27:51] Current inode: 97715 Stored inode: 98324
[23:27:51] Current size: 30280 Stored size: 30220
[23:27:51] Current file modification time: 1254827259
[23:27:51] Stored file modification time : 1244202426
. . .
Info: Test 'deleted_files' disabled at users request.
[23:28:47] Info: Starting test name 'running_procs'
[23:28:47] Checking running processes for suspicious files [ None found ]
[23:28:47]
[23:28:47] Info: Test 'hidden_procs' disabled at users request.
[23:28:47]
[23:28:47] Info: Test 'suspscan' disabled at users request.
( I have not knowingly disabled any of these. Don't even know where to find them and how to disable.)
Performing system configuration file checks
[23:29:06] Info: Starting test name 'system_configs'
[23:29:06] Checking for SSH configuration file [ Not found ]
[23:29:06] Checking for running syslog daemon [ Warning ]
[23:29:06] Warning: The syslog daemon is not running.
. . .
Checking /dev for suspicious file types [ Warning ]
[23:29:07] Warning: Suspicious file types found in /dev:
[23:29:07] /dev/shm/pulse-shm-4019611039: data
. . .
System checks summary
[23:30:03] =====================
[23:30:03]
[23:30:03] File properties checks...
[23:30:03] Files checked: 127
[23:30:03] Suspect files: 83
[23:30:03]
[23:30:03] Rootkit checks...
[23:30:03] Rootkits checked : 111
[23:30:03] Possible rootkits: 0
[23:30:04]
[23:30:04] Applications checks...
[23:30:04] Applications checked: 3
[23:30:04] Suspect applications: 0
[07:53:45] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[07:53:45] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[07:53:45] Info: Stored hash values did not use a package manager
[07:53:45] Info: The hash function field index is set to 1
[07:53:45] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[07:53:45] Info: Previous file attributes were stored
[07:53:45] Info: Enabled tests are: all
[07:53:45] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps
[07:53:45] Info: Found ksym file '/proc/kallsyms' . . ."
This is followed by another long list of changed file properties. the list is identical to the list excerpted above.
Found:
Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[07:54:56] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
The hidden text is as follows:
"<device DEVNO="0x0811" TIME="1255301594" UUID="7c43794e-0eb1-4bce-920e-20d1761449b9" TYPE="ext3">/dev/sdb1</device>"
Sdb1 is the drive affected by the black screen, boot difficulties and multiple, but changing, error messages about Drive 'A" (floppy) that is disabled and other crazy stuff.
No rootkits were found by either.
I presume that the warnings in the log file are created by updated file versions installed during the most recent updates to 9.10 Beta.
I would appreciate any information on the warnings. My own knowledge of Linux is not solid enough to allow me to make a reliable assessment of the situation.
If it would shed light on the problems raised in my previous post about possible bugs in the updated Beta version, I would be even happier.
Here are selected warnings. The actual list is much longer.
" /bin/kill [ Warning ]
[23:27:07] Warning: The file properties have changed:
[23:27:07] File: /bin/kill
[23:27:07] Current hash: 64b7154dafa4bbc514268619f9cdfcf6bb7a91f3
[23:27:08] Stored hash : b97af85a826f9fc2b361f758bf8547015472bf36
[23:27:08] Current inode: 528324 Stored inode: 528352
[23:27:08] Current size: 17956 Stored size: 17896
[23:27:08] Current file modification time: 1253051200
[23:27:08] Stored file modification time : 1244041642
. . .
/bin/pwd [ Warning ]
[23:27:12] Warning: The file properties have changed:
[23:27:12] File: /bin/pwd
[23:27:13] Current hash: 249137c86a7cebdac853bf141f680278cd781fa7
[23:27:13] Stored hash : aacfb6255a1dcde1b521097c070c5f0349fca574
[23:27:13] Current inode: 533634 Stored inode: 528404
[23:27:13] Current size: 38528 Stored size: 38468
[23:27:13] Current file modification time: 1254827258
[23:27:13] Stored file modification time : 1244202425
. . .
/usr/bin/users [ Warning ]
[23:27:36] Warning: The file properties have changed:
[23:27:36] File: /usr/bin/users
[23:27:36] Current hash: d2902772b0e2115b8163aa5d58c98b739c02ee13
[23:27:36] Stored hash : b4261079d129815cd83de2cafd02eca1bb8db0c2
[23:27:36] Current inode: 65159 Stored inode: 65170
[23:27:36] Current size: 34396 Stored size: 34336
[23:27:36] Current file modification time: 1254827258
[23:27:36] Stored file modification time : 1244202425
. . .
/usr/sbin/chroot [ Warning ]
[23:27:51] Warning: The file properties have changed:
[23:27:51] File: /usr/sbin/chroot
[23:27:51] Current inode: 97715 Stored inode: 98324
[23:27:51] Current size: 30280 Stored size: 30220
[23:27:51] Current file modification time: 1254827259
[23:27:51] Stored file modification time : 1244202426
. . .
Info: Test 'deleted_files' disabled at users request.
[23:28:47] Info: Starting test name 'running_procs'
[23:28:47] Checking running processes for suspicious files [ None found ]
[23:28:47]
[23:28:47] Info: Test 'hidden_procs' disabled at users request.
[23:28:47]
[23:28:47] Info: Test 'suspscan' disabled at users request.
( I have not knowingly disabled any of these. Don't even know where to find them and how to disable.)
Performing system configuration file checks
[23:29:06] Info: Starting test name 'system_configs'
[23:29:06] Checking for SSH configuration file [ Not found ]
[23:29:06] Checking for running syslog daemon [ Warning ]
[23:29:06] Warning: The syslog daemon is not running.
. . .
Checking /dev for suspicious file types [ Warning ]
[23:29:07] Warning: Suspicious file types found in /dev:
[23:29:07] /dev/shm/pulse-shm-4019611039: data
. . .
System checks summary
[23:30:03] =====================
[23:30:03]
[23:30:03] File properties checks...
[23:30:03] Files checked: 127
[23:30:03] Suspect files: 83
[23:30:03]
[23:30:03] Rootkit checks...
[23:30:03] Rootkits checked : 111
[23:30:03] Possible rootkits: 0
[23:30:04]
[23:30:04] Applications checks...
[23:30:04] Applications checked: 3
[23:30:04] Suspect applications: 0
[07:53:45] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[07:53:45] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[07:53:45] Info: Stored hash values did not use a package manager
[07:53:45] Info: The hash function field index is set to 1
[07:53:45] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[07:53:45] Info: Previous file attributes were stored
[07:53:45] Info: Enabled tests are: all
[07:53:45] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps
[07:53:45] Info: Found ksym file '/proc/kallsyms' . . ."
This is followed by another long list of changed file properties. the list is identical to the list excerpted above.
Found:
Warning: Hidden file found: /dev/.blkid.tab: ASCII text
[07:54:56] Warning: Hidden file found: /dev/.blkid.tab.old: ASCII text
The hidden text is as follows:
"<device DEVNO="0x0811" TIME="1255301594" UUID="7c43794e-0eb1-4bce-920e-20d1761449b9" TYPE="ext3">/dev/sdb1</device>"
Sdb1 is the drive affected by the black screen, boot difficulties and multiple, but changing, error messages about Drive 'A" (floppy) that is disabled and other crazy stuff.