[Novalug] Warnings (wasRe: php vulnerability ...)(LONG)
Beartooth
beartooth@Beartooth.Info
Fri May 18 11:04:38 EDT 2012
On Thu, 17 May 2012, James Ewing Cottrell 3rd wrote:
> Recently I googled an error message I was seeing. The article
> said "You're infected...run 'chkrootkit' and 'rkhunter'".
First off, "rpm -q php" got "not installed, both as
userid and as root. So this may be a whole nother kettle of fish.
> Google both names, download, and run them. They will tell you
> if you have one or more of many common infections.
I did not get "you're infected." But after trying both
commands ("not installed") I did "yum install chkrootkit" and
"yum install rkhunter."
chkrootkit gave me :
Searching for Suckit rootkit...
Warning: /sbin/init INFECTED
rkhunter -c gave me :
Performing file properties checks
Checking for prerequisites [ Warning ]
Performing trojan specific checks
Checking for enabled xinetd services [ Warning ]
Checking for passwd file changes [ Warning ]
Checking for group file changes [ Warning ]
System checks summary
=====================
File properties checks...
Required commands check failed
Files checked: 139
Suspect files: 0
Rootkit checks...
Rootkits checked : 249
Possible rootkits: 0
Applications checks...
All checks skipped
Rootkit checks...
Rootkits checked : 249
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 12 minutes and 23 seconds
All results have been written to the log file
(/var/log/rkhunter/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
[root@Hbsk3 ~]#
In the log I found :
[10:03:33] Info: Starting test name 'shared_libs_path'
[10:03:33] Checking LD_LIBRARY_PATH variable $
[10:03:33]
[10:03:33] Info: Starting test name 'properties'
[10:03:33] Performing file properties checks
[10:03:33] Warning: Checking for prerequisites $
[10:03:33] The file of stored file properties$
[10:03:33] Info: The file properties check will still $
[10:03:33]
[10:03:33]
[10:03:33] Warning: WARNING! It is the users responsib$
is used, all the files on their system are $
reliable source. The rkhunter '--check' opt$
against previously stored values, and repor$
cannot determine what has caused the change$
[10:03:33] Info: Found file '/sbin/ifdown': it is whit$
[10:03:33] /sbin/ifup $
[10:03:33] Info: Found file '/sbin/ifup': it is whitel$
[10:03:36] Info: Found file '/usr/bin/GET': it is whit$
[10:03:36] /usr/bin/groups $
[10:03:36] Info: Found file '/usr/bin/groups': it is w$
[10:03:36] Info: Found file '/usr/bin/ldd': it is whit$
[10:03:37] Info: Found file '/usr/bin/whatis': it is w$
[10:08:13] Performing Suckit Rookit additional checks
[10:08:13] Checking hard link count on '/sbin/init$
[10:08:13] Checking for hidden file extensions $
[10:08:13] Running skdet command $
[10:08:13] Info: Unable to find the 'skdet' command
[10:08:13] Suckit Rookit additional checks $
[10:08:19] Info: Starting test name 'malware'
[10:08:19] Performing malware checks
[10:08:19]
[10:08:19] Info: Test 'deleted_files' disabled at user$
[10:08:19]
[10:08:20] Info: Test 'hidden_procs' disabled at users$
[10:08:20]
[10:08:20] Info: Test 'suspscan' disabled at users req$
[10:08:20]
[10:08:21] Checking for software intrusions $
[10:08:21] Info: Check skipped - tripwire not installed
[10:08:21] Checking for enabled xinetd services $
[10:08:21] Warning: Found enabled xinetd service: /etc$
[10:08:21] Info: Apache backdoor check skipped: Apache$
[10:08:21]
[10:15:05] Info: Starting test name 'hidden_ports'
[10:15:05] Checking for hidden ports $
[10:15:05] Info: Unable to find the 'unhide-tcp' comma$
[10:15:05]
[10:15:05] Info: Starting test name 'group_accounts'
[10:15:05] Performing group and account checks
[10:15:05] Checking for passwd file $
[10:15:05] Info: Found password file: /etc/passwd
[10:15:05] Checking for root equivalent (UID 0) acco$
[10:15:05] Info: Found shadow file: /etc/shadow
[10:15:05] Checking for passwordless accounts $
[10:15:05]
[10:15:05] Info: Starting test name 'group_changes'
[10:15:05] Checking for group file changes $
[10:15:05] Warning: Unable to check for group file dif$
[10:15:05]
[10:15:53] Info: Test 'apps' disabled at users request.
[10:15:53] Possible rootkits: 0
[10:15:53]
[10:15:53] Applications checks...
[10:15:53] All checks skipped
all those lines about users request did not come from any user I
know of.
So is it to worry??
--
Beartooth Staffwright, Not Quite Clueless Power User
Remember I know little (precious little!) of where up is.
More information about the Novalug
mailing list