understanding chkrootkit and rkhunter logs

Discussion:

a***@gmail.com

2007-05-08 09:56:10 UTC

Hi,
I'm sorry for asking a totally newbie question but I haven't found an answer to this. I'm really curious and concerned about what is reported by the chkrootkit and rkhunter on my Debian Etch home server.

Here's what I get when I run them:

CHKROOTKIT:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[2181])

In the system mail I also get this:

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

eth0: PACKET SNIFFER(/sbin/dhclient[2136])

RKHUNTER reports this:

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)

Is this something to be worried about? How can I investigate further into these two issues?

Thanks,
Ale.

SZTANYIK Bence Tamas

2007-05-08 17:12:22 UTC

Permalink

Hi Ale,

Post by a***@gmail.com
eth0: PACKET SNIFFER(/sbin/dhclient[2181])

You don't need to worry about this if you're really obtaining your IP
address via DHCP on eth0. dhclient really acts as a packet sniffer (it
listens in promisc mode) but that's normal.

The other files/directories seem to be OK as well (at least I have them
on Debian too :)) but you can still google a bit about that if you feel
worried.

Cheers,
Bence

Oren Held

2007-05-09 07:19:31 UTC

Permalink

About /lib/init/rw/.ramfs: I also suffer from daily false-positive mails.
Seems like it's a bad behavior which should be fixed...

http://stereo.lu/chkrootkit-finds-libinitrwramfs-on-debian-etch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=403863

- Oren

Post by a***@gmail.com
Hi,
I'm sorry for asking a totally newbie question but I haven't found an
answer to this. I'm really curious and concerned about what is reported by
the chkrootkit and rkhunter on my Debian Etch home server.
Searching for suspicious files and dirs, it may take a while...
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[2181])
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs
eth0: PACKET SNIFFER(/sbin/dhclient[2136])
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.static (directory) /dev/.udev (directory)
/dev/.initramfs (directory)
Is this something to be worried about? How can I investigate further into these two issues?
Thanks,
Ale.

Juergen Repolusk

2007-05-09 06:57:37 UTC

Permalink

/dev/.initramfs/ is afaik created by the initramfs-tools during boot. if you
want to investigate more search for your initramfs scripts and take a closer
look at it. The same is for /dev/.udev

Maybe you should take a closer look on the other files and see whats inside of
them - but I guess they will be fine too:

/etc/.pwd.lock /dev/.static
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Best regards,
Juergen

Post by a***@gmail.com
Thanks,
Ale.

--
Jürgen Repolusk
+43 650 5661250
http://jvr.at/serendipity/

Clinton E. Troutman

2007-05-09 16:17:57 UTC

Permalink

Post by a***@gmail.com
Hi,
I'm sorry for asking a totally newbie question but I haven't found an
answer to this. I'm really curious and concerned about what is reported
by the chkrootkit and rkhunter on my Debian Etch home server.
Searching for suspicious files and dirs, it may take a while...
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[2181])
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs
eth0: PACKET SNIFFER(/sbin/dhclient[2136])
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning!
] ---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.static (directory) /dev/.udev (directory)
/dev/.initramfs (directory)
Is this something to be worried about? How can I investigate further into these two issues?
Thanks,
Ale.

On initial installation of both chkrootkit and rkhunter, I received many of
the same type messages.

My understanding is that since these softwares are intended for general
Linux installation, the software cannot be configured specifically for any
installation "out of the box"; some tuning is necessary through adjustment
of configuration files.

Each warning bears investigation (you will also learn about your system in
this investigation). Once you have determined a particular warning is not a
threat/problem, adjust your configuration files accordingly.

I will also say the database for rkhunter seems to have some issues. In my
case, there is a particular daily warning:
/usr/bin/wget Â [ BAD ]
that I cannot get rid of no matter what I do...
Point is, you may not rid yourself of all warnings; or, if your lucky, you
might...

HTH,

--
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
Home Office, and Small Business in Fort Worth, Texas