Re: ./chrootkit output
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 03/27/02
- Next message: nickd@nospam.demon.co.uk: "Re: ./chrootkit output"
- Previous message: Marcus Lauer: "Re: linux box compromised: advice needed"
- In reply to: ck: "Re: ./chrootkit output"
- Next in thread: nickd@nospam.demon.co.uk: "Re: ./chrootkit output"
- Reply: nickd@nospam.demon.co.uk: "Re: ./chrootkit output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Wed, 27 Mar 2002 05:15:11 +0000 (UTC)
Most important thing is you should _disconnect_ the network. Your
compromised box is attacking other sites.
< ck
>This time I installed chkrootkit-0.35-3.i686.rpm and ran chkrootkit and got
>the following 2 lines:
>
> Checking `wted'... unable to open wtmp-file wtmpx
> Checking `z2'... unable to open wtmp-file wtmpx
>
>What does this mean?
chkrootkit shell script use chklastlog binary command inside.
chklastlog have 2 Linux versions. 1) using /var/adm/wtmp version
and this is _default_. 2) using /var/log/wtmp version and _most_
current Linux distributions use this directory. Above message mean
/var/adm/wtmp or /var/log/wtmp (depend on the version) file unable
to open (not exist). I'm not sure the rpm version is which type but
perhaps rpm is not newest Linux version (/var/log/wtmp). try the
following;
ls -l /var/log/wtmp # I guess you are using this type
ls -l /var/adm/wtmp
which chklastlog
locate /chklastlog
cd /_installed_dir_ # your installed (found above) directory
strings chklastlog | grep /var
if ( results == '/var/adm/lastlog, /var/adm/wtmp' ) {
You should download source code version (chkrootkit-0.35.tar.gz
not *.rpm) at official site. and look at my previous post (edit
(change) Makefile). The method of compile (make) are wrote in
README file.
} else {
// results == '/var/log/lastlog, /var/log/wtmp'
// you don't understand above or other situations for fail safe.
You have been really compromised. You should allow ERAs post.
}
[official site]
http://www.chkrootkit.org/
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.35.tar.gz
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.35.md5
I have not confirmed but perhaps there are trojaned version of
chkrootkit at not official sites. As far as I know there are not rpm
version at official site. I wonder where you downloaded. You should
check MD5 hash.
md5sum chkrootkit-0.35.tar.gz
edf50a9c8c6bf09b0a9147f2e6168826 chkrootkit-0.35.tar.gz
>I woke up this morning and found out that my box had rebooted itself - I'm
>not sure why - maybe it had something to do with my LAN... Anyway, would
>this have corrupted these files in some way perhaps and maybe explain my
>previous:
It sounds like compromised. Download the real source code version of
chkrootkit and this usenet thread. _Disconnect_ the network (go to
off line), check above and read ERAs post.
-- Best Regards, RainbowHat. I support FULL DISCLOSURE. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: nickd@nospam.demon.co.uk: "Re: ./chrootkit output"
- Previous message: Marcus Lauer: "Re: linux box compromised: advice needed"
- In reply to: ck: "Re: ./chrootkit output"
- Next in thread: nickd@nospam.demon.co.uk: "Re: ./chrootkit output"
- Reply: nickd@nospam.demon.co.uk: "Re: ./chrootkit output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
