Re: Seeking Info on ZK Rootkit...
From: James (turajbNOSPAM_at_hoflink.com)
Date: 11/13/03
- Previous message: Dale Pontius: "Re: gentoo you decide"
- In reply to: A.: "Re: Seeking Info on ZK Rootkit..."
- Next in thread: A.: "Re: Seeking Info on ZK Rootkit..."
- Reply: A.: "Re: Seeking Info on ZK Rootkit..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Nov 2003 06:14:38 GMT
"A." <nospam@home.org> wrote in message
news:bou455$v9s$06$1@news.t-online.com...
> James wrote:
>
> > Searching for ZK rootkit default files and dirs... Possible ZK rootkit
> > installed
> >
> > -- The 2nd entry however makes me a bit more concerned. I'm unsure of
> > this is simply a false positive or a possible intrusion into my newly
> > setup system.
> >
>
> Hi, James ...
>
> i got the same prob after installing fedora core 1. my prob was the
> following. i installed a package called run.rpm, which installed the
> executable /usr/bin/run ...
>
> "The "run" utility enables you to start applications with various
> changes in context. It works in a similar way to the "nice" utility,
> but allows you to set not only priority, but also the set of CPUs
> that are allowed, and the type of scheduler to use, and it can do
> this by process id, process group id, username, and process name."
>
> Now the chkrootkit looks for this /usr/bin/run and interprets this as a
> possible ZK rootkit .. have a look at the script chkrootkit:
>
> ### ZK Rootkit
> if [ "${QUIET}" != "t" ]; then \
> printn "Searching for ZK rootkit default files and dirs... "; fi
> if [ -f ${ROOTDIR}usr/bin/run -o -f
> ${ROOTDIR}etc/sysconfig/console/load.zk ]; then
> echo "Possible ZK rootkit installed"
>
>
> So, it?s was just a mistake here ... please check your system now ...
> --
> A.
Thanks for your help thus far. Seams like you may be right. The run file
exist at '/usr/bin/run', but the other file noted
('/etc/sysconfig/console/load.zk') does not exist.
The only odd thing is, I don't remember installing 'run.rpm'; even during
the initial install of YDL 3.0. Also according to command "rpm -q -a | grep
run" (before & after running "rpm --rebuilddb"), it only shows
'autorun-3.3-3' being installed. Is this what you are referring to?
If 'autorun-3.3-3' is not the rpm that causes this problem & if 'run.rpm'
does not show as being installed, could I have the ZK Rootkit installed?
Would 'run.rpm' be automatically installed [not being listed as an installed
rpm] when I originally installed YDL 3.0 from the CDs or maybe when I used
Yum or Apt-Get to update my packages?
I'm being a little extra paranoid since this is the 1st Linux box I actually
opened up to the net [allowing apache & ssh connections via the iptables
firewall]. It's also not behind a network hardware firewall (at work) or my
cable modem router (at home). I really don't want any unwanted visitors
using this machine for unknown purposes.
Again, thanks...
-- James turajbNOSPAM@hoflink.com (Remove NOSPAM When Emailing)
- Previous message: Dale Pontius: "Re: gentoo you decide"
- In reply to: A.: "Re: Seeking Info on ZK Rootkit..."
- Next in thread: A.: "Re: Seeking Info on ZK Rootkit..."
- Reply: A.: "Re: Seeking Info on ZK Rootkit..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
