Re: understanding chkrootkit and rkhunter logs

On Tuesday 08 May 2007 11:56, acattelan@xxxxxxxxx wrote:
Hi,
I'm sorry for asking a totally newbie question but I haven't found an
answer to this. I'm really curious and concerned about what is reported by
the chkrootkit and rkhunter on my Debian Etch home server.

Here's what I get when I run them:

CHKROOTKIT:

Searching for suspicious files and dirs, it may take a while...
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient[2181])

In the system mail I also get this:

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

eth0: PACKET SNIFFER(/sbin/dhclient[2136])

RKHUNTER reports this:

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ Warning! ]
---------------
/etc/.pwd.lock /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect: /dev/.static (directory) /dev/.udev (directory)
/dev/.initramfs (directory)

Is this something to be worried about? How can I investigate further into
these two issues?

/dev/.initramfs/ is afaik created by the initramfs-tools during boot. if you
want to investigate more search for your initramfs scripts and take a closer
look at it. The same is for /dev/.udev

Maybe you should take a closer look on the other files and see whats inside of
them - but I guess they will be fine too:

/etc/.pwd.lock /dev/.static
/usr/lib/xulrunner/.autoreg
/lib/init/rw/.ramfs

Best regards,
Juergen


Thanks,
Ale.

--

Jürgen Repolusk
+43 650 5661250
http://jvr.at/serendipity/

Attachment: pgprchme0zY1H.pgp
Description: PGP signature