On Tuesday 17 August 2004 16:51, peter Nikolic wrote:

On Tuesday 17 Aug 2004 13:46, Leendert Meyer wrote:

...

On Tuesday 17 August 2004 14:18, Dave Lists wrote:

...

...

using the text I've written. It is available at:

http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.ht ml

Is there an English version of this? :-)

Seems there is none. But the alternative is:

http://babelfish.altavista.com/babelfish/tr?lp=de_en&url=http%3A//portal. suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html

Be carefull, this is a long URL, it may be wrapped into several lines.

Thanks to Konqueror ;)

Cheers,

Leen

Just a quick one ...

Goto SuSE's Support Database, make sure the German language is selected, search for 'infected'. I found this: http://portal.suse.com/sdb/de/2004/08/pohletz_chkroot_infected_progs.html Use Konqueror to translate the page (Tools menu). Cheers, Leen

On Wednesday 18 August 2004 00:27, peter Nikolic wrote:

On Tuesday 17 Aug 2004 17:02, Leendert Meyer wrote:

...

On Tuesday 17 August 2004 16:51, peter Nikolic wrote:

...

On Tuesday 17 Aug 2004 13:46, Leendert Meyer wrote:

...

On Tuesday 17 August 2004 14:18, Dave Lists wrote:

...

...

using the text I've written. It is available at:

http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_prog s.ht ml

Is there an English version of this? :-)

Seems there is none. But the alternative is:

http://babelfish.altavista.com/babelfish/tr?lp=de_en&url=http%3A//por tal. suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html

Be carefull, this is a long URL, it may be wrapped into several lines.

Thanks to Konqueror ;)

Cheers,

Leen

Just a quick one ...

Goto SuSE's Support Database, make sure the German language is selected, search for 'infected'.

I found this:

http://portal.suse.com/sdb/de/2004/08/pohletz_chkroot_infected_progs.html

Use Konqueror to translate the page (Tools menu).

Cheers,

Leen

Well about typical of Konqueror it dont want to know

Still get the right URL and good old Mozilla 1.8a2 behaves right .

Pete .

-- Linux user No: 256242 Machine No: 139931 G6NJR Pete also MSA registered "Quinton 11" A Linux Only area Happy bug hunting M$ clan PGN

http://www.chkrootkit.org/ is the place to look, chrootkit 0.43 . It works here with 9.1. Mike

On Wednesday 18 August 2004 02:31, Patrick Shanahan wrote:

* Michael Ayers [08-17-04 18:07]: ... much snipped ...

...

http://www.chkrootkit.org/ is the place to look, chrootkit 0.43 . It works here with 9.1.

but was last updated 27 Dec 03

there is rkhunter available at http://www.rootkit.nl and an rpm noarch available http://wahoo.no-ip.org/~pat/rkhunter-1.1.5-1.ps.noarch.rpm that was built 11 Aug 04.

Note that all these rootkit hunters are ultimately a very poor protection. It's a "quick fix" for people who don't want to do the whole thing with tripwire or similar solutions Also note that if you're going to trust rootkit hunters, having them installed on the system you're going to be monitoring is a very bad idea. If they are to be used at all, they should be kept on secondary storage, like a CD, and run from there when you check the system.

On Wednesday 18 August 2004 04:05, Scott Leighton wrote:

I don't think so....

helphand:/home/helphand/chkrootkit-0.43 # ./chkrootkit -q Checking `find'... INFECTED Checking `top'... INFECTED

You have 7 process hidden for readdir command You have 7 process hidden for ps command Warning: Possible LKM Trojan installed eth0: PF_PACKET(/sbin/dhcpcd) helphand:/home/helphand/chkrootkit-0.43 #

The problem is still there.

Scott

Sorry, you are right, I just checked again (was late last night) and I too have `find´ and `top´ infected but no other warnings etc. Mike