Ian, Have you done any checking with rpm? It has good options for verifying where files came from, e.g. rpm -qf filename rpm --verify packagename rpm -ql packagename I suppose if you are really paranoid you might distrust the information if you think you have been cracked, but at least it gives you a starting point for further investigation. Bob On Tue, 26 Feb 2002, Ian Laws wrote:
Hi Everyone.
I have just starting using chrootkit and as I do not really know what files are installed. I was wondering if these files are really suspicious and if I should delete them. please note. I have installed the Apache webserver with perl for the Intranet.
Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.6.0/i586-linux/.packlist /usr/lib/perl5/site_perl/5.6.0/i586- linux/auto/Alien/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/Storable/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/Tk/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.0/i586-linux/auto/libwww-perl/.packlist /usr/lib/jdk1.1.8/bin/.java_wrapper /usr/lib/jdk1.1.8/bin/i686/green_threads/.extract_args /usr/lib/jdk1.1.8/bin/i686/native_threads/.extract_args
Ian Laws
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691