Help - Search - Members - Calendar
Full Version: CHKRootkit and RKHunter Output (Does everything check out?)
The Planet Forums > Security > General Security > UNIX Security
RennyRed
Mar 9 2006, 09:17 AM
These were the results of my first CHKRootkit scan:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/LDAP/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/IP/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Net/OSCAR/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/String/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Stringy/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Interactive/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Text/Glob/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Text/Diff/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/HTML/Template/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML/NamespaceSupport/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML/SAX/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML/Simple/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/GD/SecurityImage/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Digest/SHA/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Expect/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Geo/IPfree/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Sys/Hostname/Long/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/TimeDate/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/File/Copy/Recursive/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/File/Tail/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/File/HomeDir/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Filesys/Statvfs/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Module/Build/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Module/Signature/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/version/vxs/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/version/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/BSD/Resource/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Readonly/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/LWP/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Quota/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Class/Std/Utils/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Class/Std/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Class/Spiffy/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Unix/PID/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Spiffy/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Test/Base/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/YAML/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/PAR/Dist/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Algorithm/Diff/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.8.4/i686-linux/auto/Set/Crontab/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/Cwd/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/File/Temp/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/List/Util/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/Storable/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/Net/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/CGI/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/CPAN/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/5.8.4/i686-linux/auto/.packlist /usr/lib/perl5/5.8.4/i686-linux/.packlist
/usr/lib/php/.registry
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted

------------------------------------------------------------------

These were the results of my first RKHunter scan:

Rootkit Hunter 1.1.4 is running

Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Skipped!


Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'f***`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]

Is everything fine? I'm particularly concerned about the output under "Searching for suspicious files and dirs"(CHKRootkit) and "Warning: this operating system is not fully supported!"(RKHunter). Does my version of Linux need to be updatedAny help would be greatly appreciated.
lechoad
Jun 13 2006, 06:55 PM
>>Determining OS... Warning: this operating system is not fully supported!
Ready
Warning: Cannot find md5_not_known
All MD5 checks will be skipped!


Anyone familiar with how to alleviate this?
TheUniverses
Jun 13 2006, 07:31 PM
What OS are you running?
eddy2099
Jun 13 2006, 07:36 PM
I wouldn't worry too much about the Rootkit Hunter warning, the whole purpose of it would be to check for rootkit, malware, backdoors and all those nasty things. Those are pretty much OS distribution-independent.

If you check http://www.rootkit.nl/projects/rootkit_hunter.html , RHEL 3 and RHEL 4 is not within the tested on OS, it should still work within incident since they are still pretty much based on the Linux kernel.
SuperBaby
Sep 22 2006, 05:20 PM
Recently I saw many unusual scripts in my server including /tmp. I also located some malicious processes. The hacker contacted me and told me that he was only one step from getting root access.

Throughout this period, Chkrootkit and rkhunter told me.... "Don't worry, be happy. Your server is fine.".

Treat the scan result like your mother-in-law's advice. Don't trust them more than 95%.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.