Re: Infected, or just paranoid?

dunno about rootkit hunter, but i use chkrootkit ( available in default repository)

install them and run it ( as root or using sudo). i got this:

root@kronos:~# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-3.0b5/.autoreg
/usr/lib/firefox/.autoreg
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/MIME/Base64/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/Authen/PAM/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/VMware/VmdbPerl/.exists
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/VMware/VmPerl/.exists
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/VMware/HConfig/.exists
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/XML/DOM/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/URI/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/VMware/.exists
/usr/lib/jvm/.java-6-sun.jinfo
/usr/lib/jvm/java-6-sun-1.6.0.06/.systemPrefs
/usr/lib/jvm/.java-1.5.0-sun.jinfo
/usr/lib/jvm/java-1.5.0-sun-1.5.0.15/.systemPrefs
/usr/lib/jvm/jre1.6.0/.systemPrefs
/usr/lib/jvm/jre1.6.0/.systemPrefs/.system.lock
/usr/lib/jvm/jre1.6.0/.systemPrefs/.systemRootModFile
/usr/lib/xulrunner-1.9b5/.autoreg
/lib/modules/2.6.24-16-generic/volatile/.mounted
/usr/lib/jvm/jre1.6.0/.systemPrefs
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ****C Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[6467], /sbin/wpa_supplicant[6519], /sbin/dhclient3[6579])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted

Re: Infected, or just paranoid?

What was the warning?

or just [warn] after the file name?

To be sure run chkrootkit as well, then post back.

You could check the md5sums from the original deb files and what is installed. and ideally give a link to /var/log/rkhunter.log (it may be a bit big to post in full, or you could edit down the applicable sections)

Just to add, I got a rootkit about 8 years ago on a linux box, contacted through installing some software from source I acquired from a web site that was not the projects own. I noticed by seeing a couple of extra users that I never added. As it was a test machine I nuked the installation from orbit, but it taught me to trust where I install software from, even on Linux.

Re: Infected, or just paranoid?

Thanks guys.

I ran chkrootkit and it came up clean. The warning from Rootkit Hunter was just the word "warning" after the file name, but I found the Rootkit Hunter log, and the MD5s didn't match.

I haven't noticed any strange behavior though. I wonder if it could be a result of Bastille changing some file permissions, but I don't remember what files it changed, and I'm not sure why changing permissions would change the actual file.

Well...I'll keep looking.

Re: Infected, or just paranoid?

If you are looking for something to scan for changed files, tripwire has been a skin-saver for me in the past. Of course in your case, the changes have already been made so installing and running it now won't help you at this juncture. Just an idea looking forward.

Good luck with your hunt.

Mike