Hi,

I installed chkrootkit-0.41 on two Ensim 3.1.11-2 servers and set up the cron job as described in Foggys How To :
http://forum.rackshack.net/showthread.php?...s=&postid=44747

(I used the chkrootkit file in cron.daily approach)


Anyway, I ran it manually and there were no infections, so signs of trouble whatsoever, not even the famous false postives.

So, I sat back and waited for the first email of the chkrootkit output from cron.

Strangely, some of the output is different, see below :

From ssh : Checking `ldsopreload'... not infected

Cron Email : Checking `ldsopreload'... can't exec ./strings-static, not tested

From ssh :Checking `sniffer'...
eth0 is not promisc
eth0 is not promisc

Cron Email :Checking `sniffer'... not tested: can't exec ./ifpromisc

From ssh :Checking `wted'... nothing deleted

Cron Email :Checking `wted'... not tested: can't exec ./chkwtmp

From ssh :Checking `z2'... nothing deleted

Cron Email :Checking `z2'... not tested: can't exec ./chklastlog

Both servers have the same problem.

So I go and check the permissions in the chkrootkit-0.41 directory and find that lots of the files are owned by user 1000 in group 1000

Should I chown/chgrp all the files to root to get the 2 outputs to match, or will this stop something else from working ?


[QUOTE
-r--r--r-- 1 1000 1000 3363 Jun 21 07:03 ACKNOWLEDGMENTS
-rwxr-xr-x 1 root root 3172 Aug 3 05:10 check_wtmpx
-r--r--r-- 1 1000 1000 7191 Jun 5 04:18 check_wtmpx.c
-rwxr-xr-x 1 root root 6732 Aug 3 05:10 chkdirs
-r--r--r-- 1 1000 1000 6680 Jun 5 04:18 chkdirs.c
-rwxr-xr-x 1 root root 7328 Aug 3 05:10 chklastlog
-r--r--r-- 1 1000 1000 7746 Jun 5 04:18 chklastlog.c
-rwxr-xr-x 1 root root 7184 Aug 3 05:10 chkproc
-r--r--r-- 1 1000 1000 6502 Jun 8 02:45 chkproc.c
-rwxr-xr-x 1 1000 1000 64811 Jun 21 08:09 chkrootkit
-r--r--r-- 1 1000 1000 552 Jun 21 07:13 chkrootkit.lsm
-rwxr-xr-x 1 root root 4496 Aug 3 05:10 chkwtmp
-r--r--r-- 1 1000 1000 1945 Jun 5 04:18 chkwtmp.c
-r--r--r-- 1 1000 1000 1343 Jun 5 04:18 COPYRIGHT
-rwxr-xr-x 1 root root 4864 Aug 3 05:10 ifpromisc
-r--r--r-- 1 1000 1000 3293 Jun 20 04:07 ifpromisc.c
-r--r--r-- 1 1000 1000 1421 Jun 5 04:18 Makefile
-r--r--r-- 1 1000 1000 11336 Jun 21 08:13 README
-r--r--r-- 1 1000 1000 1323 Jun 5 04:18 README.chklastlog
-r--r--r-- 1 1000 1000 1292 Jun 5 04:18 README.chkwtmp
-rwxr-xr-x 1 root root 413224 Aug 3 05:10 strings
-r--r--r-- 1 1000 1000 2437 Jun 5 04:18 strings.c[/QUOTE]

Thanks

alan

Greetings:

Did you compile chkroot kit with "make sense" from within the installation directory?

Thank you.

Hi, yes, I followed the howto and read the README.

It is only through cron that the differences show up.

I chowned all the files to root last night and I'm now waiting for the results :confused:


alan

you have to run chkrootkit from the directory it is in.

have the script that runs chkrootkit change into that directory first.

Hi,

as far as I was aware, it was running from the chkrootkit directory.

From the howto :




My file reads :
#!/bin/bash
/home/admin/chkrootkit-0.41/./chkrootkit | mail -s "Daily chkrootkit Output" me@mydomain.com

But looking at it now, do I need the ./ before the chkrootkit command ?

Surely it should be ok with just :
/home/admin/chkrootkit-0.41/chkrootkit

or would cd /home/admin/chkrootkit-0.41/ ./chkrootkit
be better ?

thanks

alan

BTW, chowning made no difference, not that I expected it to

calling it as
/fullpath/chkrootkit doesnt change your working directory

chkrootkit calls other parts as ./filetoexec

if you working directory isnt where chkrootkit is, it wont work

just cd into the directory first

cd /fullpath

./chkrootkit

Thanks for that,

Guess the "howto" needs adjustment then


alan