On Thu, Jan 3, 2013 at 7:27 AM, ellanios82 <ellanios82@gmail.com> wrote:
Hello List
program < rkhunter > shows possible rootkit , with messages as follow :
Starting test name 'running_procs' [19:02:43] Checking running processes for suspicious files [ Warning ] [19:02:43] Warning: The following processes are using suspicious files: [19:02:44] Command: cron [19:02:44] UID: 0 PID: 3191 [19:02:44] Pathname: /etc/crontab [19:02:44] Possible Rootkit: Unknown rootkit [19:02:44] Command: cron [19:02:44] UID: 0 PID: 24469 [19:02:44] Pathname: /etc/crontab [19:02:44] Possible Rootkit: Unknown rootkit [19:02:44] Command: egrep [19:02:44] UID: 0 PID: 19756 [19:02:44] Pathname: /etc/crontab [19:02:44] Possible Rootkit: Unknown rootkit [19:02:44] Command: rkhunter [19:02:44] UID: 0 PID: 24855 [19:02:44] Pathname: /etc/crontab [19:02:44] Possible Rootkit: Unknown rootkit [19:02:44] Command: run-crons [19:02:44] UID: 0 PID: 24471 [19:02:44] Pathname: /etc/crontab [19:02:44] Possible Rootkit: Unknown rootkit [19:02:44] Command: sh [19:02:44] UID: 0 PID: 24470 [19:02:44] Pathname: /etc/crontab [19:02:44] Possible Rootkit: Unknown rootkit [19:02:44] Command: sort [19:02:44] UID: 0 PID: 19757
.................
what prudent steps should one take to see if rootkit exists ?
In general: - Manually inspect the file, is it clearly innocuous? - look at its permissions, does it have the substitute user or group bits set - Get it's MD5, SHA1 and SHA-256 hash. (use md5sum, sha1sum, and sha256sum respectively) - Google search for the error messages and the hash values. - if the suspicious file has contents, submit it to www.virustotal.com for analysis (free). - run strings against the file, do you see strange strings in there Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org