rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
rkhunter scan: 1 Rootkit & 6 Possible Suspect Files /var/log/rkhunter.log included
Hi, I'm new to using Linux and have been lurking these forums for quite some time without posting. First off, my name is Jake (and that's all I'm giving), so I guess it'll be nice to meet some of you guys later on. As a new user, I decided to try out Knoppix and successfully got it to be persistent and am currently reading books (and websites) on Linux and it's commands.
However, recently after installing chkrootkit, rkhunter and clamav, I did a check with rkhunter and found potential problems.
I come here looking for help with this situation. This is a separate external USB HDD with knoppix's .img file on it. However, it is linked to my main computer which has Windows 7 on it.
That xzibit rootkit is just a false-positive. It shows even on default Debian installations. If you GOOGLE, you can find this problem everywhere. Even your 'suspect' files have meaning. Dont lose too much sleep over it.
sorry for not being clear, and for responding late. I'm very busy. Anyways, thank you for the link, and I have downloaded the patch but on Knoppix I'm unable to find the file location it asks me to put it in. Where can I find the equivalent on knoppix, or apply it in a different way?
Let me also add a Welcome to the forums. To re-iterate Nexus' question, what exactly is it that you are trying to achieve and what is your concern? Are you trying to test and disinfect a Windows system or are you concerned about the security of your Linux system?
As you mention being new to Linux, often times when approaching Linux from a Windows background, there is a lot of fear and uncertainty regarding security. Linux takes a very different approach and generally speaking does not have the same vulnerabilities as Windows. This isn't to say that you can't get into trouble, but as long as you don't go looking for it, your risks are quite small. From this perspective, your focus on chkrootkit, rkhunter and clamav, suggests a certain degree of uncertainty that is probably not warranted. In order to properly use these tools, you really need to have a decent amount of experience to understand what they do, how they do it, how best to apply them, and how to interpret their output. This is something that will come with time and experience, but can be extremely confusing for the new Linux user.
What I'm trying to do is make sure Knoppix is clean and set. I've downloaded the patch that was linked, but I have absolutely no idea where to, or how to apply it so that rkhunter or chkrootkit will find those problems.
I also apologize, but on Windows I've always had this fear of viruses, but now that I plan on buying a new computer soon, one hard disk with Windows (maybe 8, but 7 for now) on it, I want to make sure it's safe.
I also would like to make sure my Linux distro (of which I plan on using Fedora 15, 16 if it comes out by then) isn't infected and that I can check it from Knoppix which I will know for a fact is clean. However, this rootkit thing that I found has scared me, but knowing that it's probably a false-positive has calmed my nerves a bit, but I would still like to try and apply the patch.
Most linux installs don't have rootkits or viruses. In MS-Windows, viruses work well because it's very easy for a program to gain full access to the system and make whatever changes it wants. Part of this problem is that most people run MS-Windows as an "Administrator" user. Another part of the problem is how some programs on MS-Windows are given secret backdoor access to things, so that they run faster. Unfortunately that opens up security holes. Also you probably noticed that in MS-Windows, they have modified their web browser to be a file browser, so it's pretty much the same program you use to look at things on the web, or look at files on your local machine. That may mean that the web browser has too much power, so if some malicious code takes over your web browser, it can take over other parts of your machine too.
In linux, it's much harder for a virus to damage the system. If you follow the standard procedures, you won't normally operate as the root user. You only become root if you need to do some administrative tasks. For example, you would almost never run a web browser as root in normal circumstances. That means that if something bad happens, you won't damage your whole system, just the files that you have control over as the user you are logged in as. That would still be bad, but it is much more rare for this to happen in linux than MS-Windows.
In general, to take over a linux machine you most often need physical access to the box. The problem with MS-Windows is that it is too easy to take over a machine even without physical access to it.
If you run linux, and minimise the amount of software running to the software that you actually want to use, and don't run programs from untrusted sources, you are unlikely to have problems.
You should bear in mind that it is easy to write malicious programs that can damage your machine or steal your data, on any type of machine. So if you run untrusted programs supplied by malicious people, you can get in trouble. But at least on linux, if you avoid doing that, you probably won't have very many security problems.
Thank you for trying to calm my fears and it certainly has helped, but on top of the fact that the word "rootkit" is just as bad as "virus" to me, I would still like to apply the patch so I don't have to see this problem.
Thank you for trying to calm my fears and it certainly has helped, but on top of the fact that the word "rootkit" is just as bad as "virus" to me, I would still like to apply the patch so I don't have to see this problem.
I understand what you are saying about wanting to make sure that you start with a clean install. Fortunately, there are ways to do this, but in my experience and opinion, tools like root kit detectors are not the best way to go.
As you become more aware of the Linux culture, you will find that almost all software, especially that from known legitimate sources is cryptographically signed. For some reason, whenever I bring up the concept of code signing in a Windows environment, I get treated like I have two heads or something, so if you are new to Linux, this may be a surprise. Note, I apologize if this is all known to you, but I would rather error by giving you too much information than too little. In essence, the developer or a responsible party has created what is called a key pair that consists of a public and private key. The private key is used to "sign" the software by creating a hash value or code that represents this software. The hash is such that statistically the chance of altering the code without affecting the hash is infinitesimal. Once you download the software, you can also download this digital signature. Using the public key, which is mathematically related to the private key, you can verify the integrity of the downloaded application with near absolute certainty. By absolute certainty, I mean at a level that would be greater than if you were to buy a CD in a store in the manufacturers' box. The developer's keys often times have also been "signed" by several other people who are asserting that this individual is legitimate. Combined this gives you an extremely high degree of assurance of the software integrity and authenticity. Most modern package managers, such as the RPM and DEB based ones, have mechanisms built into them to verify the software via the cryptographic keys.
Couple the above concept with the befits of open source. The Linux kernel itself, and popular software such as the GNU tools on which Linux is built are constantly being evaluated by many sets of eyes. This makes it very difficult to put a rootkit, a back door, or other forms of malware in the software as it would be detected very quickly. Compare that to a private, binary, closed source model, where you have nothing but someone's say so that it is clean.
In general, a reasonable amount of caution and prudence is warranted when obtaining software. If you stick with known reputable sources, such as the Knoppix mirrors, and use signed software, your chances of getting a 'virus' or root kit from it are miniscule. In fact, the chances of root kit detection software, which is somewhat reactionary by design, being able to identify an infection under these conditions is limited and most likely would give you false positives instead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
