Re: Seeking Info on ZK Rootkit...

From: James (turajbNOSPAM_at_hoflink.com)
Date: 11/13/03

  • Next message: Tim Haynes: "Re: gentoo you decide"
    Date: Thu, 13 Nov 2003 06:14:38 GMT
    
    

    "A." <nospam@home.org> wrote in message
    news:bou455$v9s$06$1@news.t-online.com...
    > James wrote:
    >
    > > Searching for ZK rootkit default files and dirs... Possible ZK rootkit
    > > installed
    > >
    > > -- The 2nd entry however makes me a bit more concerned. I'm unsure of
    > > this is simply a false positive or a possible intrusion into my newly
    > > setup system.
    > >
    >
    > Hi, James ...
    >
    > i got the same prob after installing fedora core 1. my prob was the
    > following. i installed a package called run.rpm, which installed the
    > executable /usr/bin/run ...
    >
    > "The "run" utility enables you to start applications with various
    > changes in context. It works in a similar way to the "nice" utility,
    > but allows you to set not only priority, but also the set of CPUs
    > that are allowed, and the type of scheduler to use, and it can do
    > this by process id, process group id, username, and process name."
    >
    > Now the chkrootkit looks for this /usr/bin/run and interprets this as a
    > possible ZK rootkit .. have a look at the script chkrootkit:
    >
    > ### ZK Rootkit
    > if [ "${QUIET}" != "t" ]; then \
    > printn "Searching for ZK rootkit default files and dirs... "; fi
    > if [ -f ${ROOTDIR}usr/bin/run -o -f
    > ${ROOTDIR}etc/sysconfig/console/load.zk ]; then
    > echo "Possible ZK rootkit installed"
    >
    >
    > So, it?s was just a mistake here ... please check your system now ...
    > --
    > A.

    Thanks for your help thus far. Seams like you may be right. The run file
    exist at '/usr/bin/run', but the other file noted
    ('/etc/sysconfig/console/load.zk') does not exist.

    The only odd thing is, I don't remember installing 'run.rpm'; even during
    the initial install of YDL 3.0. Also according to command "rpm -q -a | grep
    run" (before & after running "rpm --rebuilddb"), it only shows
    'autorun-3.3-3' being installed. Is this what you are referring to?

    If 'autorun-3.3-3' is not the rpm that causes this problem & if 'run.rpm'
    does not show as being installed, could I have the ZK Rootkit installed?
    Would 'run.rpm' be automatically installed [not being listed as an installed
    rpm] when I originally installed YDL 3.0 from the CDs or maybe when I used
    Yum or Apt-Get to update my packages?

    I'm being a little extra paranoid since this is the 1st Linux box I actually
    opened up to the net [allowing apache & ssh connections via the iptables
    firewall]. It's also not behind a network hardware firewall (at work) or my
    cable modem router (at home). I really don't want any unwanted visitors
    using this machine for unknown purposes.

    Again, thanks...

    -- 
    James
    turajbNOSPAM@hoflink.com
    (Remove NOSPAM When Emailing)
    

  • Next message: Tim Haynes: "Re: gentoo you decide"

    Relevant Pages

    • Re: Who has installed (and uses) the New Amplifone flybacks?
      ... which uses a makeshift 25" amplifone w/ tube from a WGU5000. ... James H. ... am curious of what folks think after installing them, ...
      (rec.games.video.arcade.collecting)
    • Re: /usr/local vs. /opt
      ... > We've gone through several iterations here. ... The File Hierarchy Standard says: ... haven't had the privilege of installing Oracle on *ix, ... E-mail address: james | Legacy: ...
      (Fedora)
    • Re: Who has installed (and uses) the New Amplifone flybacks?
      ... which uses a makeshift 25" amplifone w/ tube from a WGU5000. ... James H. ... am curious of what folks think after installing them, ...
      (rec.games.video.arcade.collecting)
    • Re: Seeking Info on ZK Rootkit...
      ... > setup system. ... Hi, James ... ... i got the same prob after installing fedora core 1. ... possible ZK rootkit .. ...
      (comp.os.linux.security)
    • Re: Disable MS updates
      ... > James wrote: ... I'm not all that against installing SP3 ... > not accepting the EULA, or, by preventing MS ...
      (microsoft.public.security)