chkrootkit [Help]
chkrootkit [Help]
Checking `lkm'... You have 1 process hidden
Warning: Possible LKM Trojan installed
And some php and autoreg ive seen on my system I forgot the other ones..
It changed the files to read only and i cant even get in. Says error or something during boot up and I even tried to save the chkrootkit log so I can post it here but cant do. Some protocol died message popped up. Anyways I need some help, How do i remove it? Or how do i trace where it came from? Could i fix this using a liveCD?
im using kubuntu btw.
Warning: Possible LKM Trojan installed
And some php and autoreg ive seen on my system I forgot the other ones..
It changed the files to read only and i cant even get in. Says error or something during boot up and I even tried to save the chkrootkit log so I can post it here but cant do. Some protocol died message popped up. Anyways I need some help, How do i remove it? Or how do i trace where it came from? Could i fix this using a liveCD?
im using kubuntu btw.
Something like
Found soome on sniffer, ssh scanners, and some else
wted 10 deletions between Sun Dec 14 15:35:42 .......
----
After i run fsck. it kinda fix some of it i think. And teh error i got from startx
On chkrootkit/dev/sda1:inodes that were part of a corrupted orphan link list found
unexpected inconsistency; run fsck manually
*An automatic file system check of the root filesystem
*Te root file system is currently being mounter in read-only mode.
bash: no job control in this shell
Found soome on sniffer, ssh scanners, and some else
wted 10 deletions between Sun Dec 14 15:35:42 .......
----
After i run fsck. it kinda fix some of it i think. And teh error i got from startx
I tried opening the .Xauthority but its just a bunch of characters that doesnt even make sense to me. I think the rootkit change it to read-only file system. How do i change permission and get rid of those rootkits and errors?mktemp: cannot creat temp file /temp/saveauth.FcbHB14485: Read-only file system
/usr/bin/startx: line 158: cannot create temp file for here document: Read-omly file system
Xauth: error in locking authority file /home/skip/.Xauthority
/usr/bin/startx: line 170 cannot create temp file for here document: Read-only file system
fatal server error.
Could not create lock file in /tmp/.tX0-lock
giving up.
xinit: connection refused (errno111) unable to connect to xserver
xinit:no such process (errno3) Server
Xauth: error in locking authority file /home/skip/.Xauthority
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
well, the problem is most likely caused by earlier errors during the boot process, therefore the file system is mounted read-only....and so temporary files can't be written.
to be able to start normally check the fstab entries, the file is /etc/fstab
look for:
and change it to:
this should make a normal boot possible, but then you will have to search for the errors that caused this problem, best have a look at syslog...
to be able to start normally check the fstab entries, the file is /etc/fstab
look for:
Code: Select all
errors=remount-ro
Code: Select all
errors=continue
ahh.. thanks, all fixed. and this is what i got from rkhunter,
---
i update and upgrade it and then run the rkhunter again.
Am i safe? not really?/usr/sbin/unhide [ Warning ]
/usr/sbin/unhide-linux26 [ Warning ]
Suckit Rookit additional checks [ OK ]
Performing trojan specific checks
Checking for enabled inetd services [ OK ]
Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
File properties checks...
Files checked: 127
Suspect files: 2
Rootkit checks...
Rootkits checked : 110
Possible rootkits: 0
Applications checks...
Applications checked: 4
Suspect applications: 0
---
i update and upgrade it and then run the rkhunter again.
whats the warning all about?Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/login [ Warning ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ Warning ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/which [ OK ]
/bin/dash [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ Warning ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ Warning ]
/usr/bin/passwd [ Warning ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/lwp-request [ OK ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ Warning ]
/usr/sbin/groupdel [ Warning ]
/usr/sbin/groupmod [ Warning ]
/usr/sbin/grpck [ Warning ]
/usr/sbin/nologin [ Warning ]
/usr/sbin/pwck [ Warning ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/unhide [ Warning ]
/usr/sbin/useradd [ Warning ]
/usr/sbin/userdel [ Warning ]
/usr/sbin/usermod [ Warning ]
/usr/sbin/vipw [ Warning ]
/usr/sbin/unhide-linux26 [ Warning ]
[Press <ENTER> to continue]
Checking for rootkits...
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Performing trojan specific checks
Checking for enabled inetd services [ OK ]
Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Performing group and account checks
Checking for passwd file [ Found ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Checking application versions...
Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of OpenSSH [ OK ]
System checks summary
=====================
File properties checks...
Files checked: 127
Suspect files: 17
Rootkit checks...
Rootkits checked : 110
Possible rootkits: 0
Applications checks...
Applications checked: 4
Suspect applications: 0
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
hm, have you updated the file hashes from rkhunter already? maybe the hashes are too old and this produces the warnings:
Code: Select all
rkhunter --update
I got the same warnings and the only update on rkhunter was i18n/cn .
This is what i found on rkhunter log
[15:18:59] Checking for SSH configuration file [ Found ]
[15:18:59] Info: Found SSH configuration file: /etc/ssh/sshd_config
[15:18:59] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[15:18:59] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[15:18:59] Checking if SSH root access is allowed [ Warning ]
[15:18:59] Warning: The SSH and rkhunter configuration options should be the same:
[15:18:59] SSH configuration option 'PermitRootLogin': yes
[15:18:59] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Whats next? Am i safe or not?[/b]
This is what i found on rkhunter log
[15:18:59] Checking for SSH configuration file [ Found ]
[15:18:59] Info: Found SSH configuration file: /etc/ssh/sshd_config
[15:18:59] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[15:18:59] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[15:18:59] Checking if SSH root access is allowed [ Warning ]
[15:18:59] Warning: The SSH and rkhunter configuration options should be the same:
[15:18:59] SSH configuration option 'PermitRootLogin': yes
[15:18:59] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
Whats next? Am i safe or not?[/b]
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
well, as it says in the message:
change it to "yes" and the warning should not appear again.
about the other warnings: don't take it too serious, on Debian I get loads of them, simply because the programs are customized for the distribution, and so the hashes don't match the official ones anymore.
better analyze your system by the logs (syslog, kernel.log, daemon.log, auth.log for example), it's way more reliable.....
Code: Select all
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
about the other warnings: don't take it too serious, on Debian I get loads of them, simply because the programs are customized for the distribution, and so the hashes don't match the official ones anymore.
better analyze your system by the logs (syslog, kernel.log, daemon.log, auth.log for example), it's way more reliable.....