[SOLVED] Strange rkhunter reports -- Yet another "has my machine been compromised" question...
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Strange rkhunter reports -- Yet another "has my machine been compromised" question...
Hi, I'm new here, how's everyone?
I've installed rkhunter a few months ago, since then (well, since way back before then...) I have not done any major upgrades since about a week ago, today, I found this in my mail:
Code:
Warning: The file properties have changed:
File: /bin/kill
Current hash: 49bd8ae2c548b457144a13ad30928ef144b26c88
Stored hash : 3d23afa3382f0bd156ca5496e261ba7a960d11e7
Current inode: 3769454 Stored inode: 3768369
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /bin/ps
Current hash: d6a70663771e4693c5c3c4a7ff8ed66c91d75a9b
Stored hash : fb3a865fbd8e0a9028a3a519a4c9a527893ccb38
Current inode: 3769455 Stored inode: 3768370
Current size: 75800 Stored size: 75864
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /usr/bin/last
Current hash: c2abfa9b4fb5d8c4e42d5932df154cdbceab554d
Stored hash : a18bfd4218dcdf59b81663fb935a2219df7fb8ba
Current inode: 3319110 Stored inode: 3319914
Current file modification time: 1332884304 (28-Mar-2012 00:38:24)
Stored file modification time : 1293860108 (01-Jan-2011 08:35:08)
Warning: The file properties have changed:
File: /usr/bin/ldd
Current hash: a7d3e2707ab33d6d6d6259bcb1c3c36ca3161f1f
Stored hash : cd1fad8395710b1233aba71f82bc4da326b94d8e
Current inode: 3321466 Stored inode: 3318915
Current size: 5270 Stored size: 5271
Current file modification time: 1329111822 (13-Feb-2012 08:43:42)
Stored file modification time : 1295827788 (24-Jan-2011 03:09:48)
Warning: The file properties have changed:
File: /usr/bin/perl
Current hash: 947eec1e9a740a460b8b369b1e321138a38a8cc1
Stored hash : decfd267c210f88bd950f7feec37bba0a7e60930
Current inode: 558131 Stored inode: 3322245
Current size: 1245180 Stored size: 1241916
Current file modification time: 1324413624 (20-Dec-2011 23:40:24)
Stored file modification time : 1309462889 (30-Jun-2011 22:41:29)
Warning: The file properties have changed:
File: /usr/bin/pgrep
Current hash: f57016795ea8e9df1d7dde2e09158254b99f1155
Stored hash : 49f31fefb6daf2e3c4869fc62d4801fc50f362f7
Current inode: 557128 Stored inode: 3321211
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /usr/bin/sudo
Current hash: 014084e376619d291814cc638891b5d39e559e54
Stored hash : 3f5b91d1bb172d009d94ccaec7241751c22a2bf7
Current inode: 557710 Stored inode: 557128
Current file modification time: 1337794468 (23-May-2012 20:34:28)
Stored file modification time : 1300049696 (13-Mar-2011 23:54:56)
Warning: The file properties have changed:
File: /usr/bin/top
Current hash: 961ec1101cacc7dc48047d0d5886037d8c0f32bb
Stored hash : 2975d6cce4db5f66c202c426707cbac3b72f4cd4
Current inode: 557725 Stored inode: 3321217
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /usr/bin/vmstat
Current hash: c7aef1d156cb229a86e08aa89a23f4cc957e8073
Stored hash : 546186102bbfb4ce605af84d40252bbc64acfe8a
Current inode: 557726 Stored inode: 3321218
Current size: 18352 Stored size: 18336
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /usr/bin/w
Current hash: be8b4563c6050c71e5315c2e47be15e80874b6b9
Stored hash : 7078055f6127f322cab8e7d51848b03806bf5bee
Warning: The file properties have changed:
File: /usr/bin/watch
Current hash: b56e450c23b6958f396bb770ffc3ecc97285d68b
Stored hash : f284b2f672391e7befb5b82c563c1b9d26ff8674
Current inode: 557713 Stored inode: 3321214
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /usr/bin/w.procps
Current hash: be8b4563c6050c71e5315c2e47be15e80874b6b9
Stored hash : 7078055f6127f322cab8e7d51848b03806bf5bee
Current inode: 557715 Stored inode: 3321216
Current size: 11336 Stored size: 11352
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The command '/sbin/chkconfig' has been replaced by a script: /sbin/chkconfig: a /usr/bin/perl script text executable
Warning: The file properties have changed:
File: /sbin/init
Current hash: 5c1f48d93b951f2d0e69068a1a72edb543c1a5d4
Stored hash : 411b39939fcf4e6ed502e649aaa5d3941fb614de
Current inode: 409748 Stored inode: 409631
Current file modification time: 1332884304 (28-Mar-2012 00:38:24)
Stored file modification time : 1293860108 (01-Jan-2011 08:35:08)
Warning: The file properties have changed:
File: /sbin/runlevel
Current hash: c99a6ef8e67a8d74a06f5d3ef25ed1147ad7875f
Stored hash : e42bb3473aa5dc2a87c0c29245b75f5fdac6aff2
Current inode: 409604 Stored inode: 409632
Current file modification time: 1332884304 (28-Mar-2012 00:38:24)
Stored file modification time : 1293860108 (01-Jan-2011 08:35:08)
Warning: The file properties have changed:
File: /sbin/sulogin
Current hash: b953d2a88b529326bb328063d1f2b14641126b76
Stored hash : bd2d54a9fc4a36c0da2d0d7e4dffb44b5c4954ff
Current inode: 409632 Stored inode: 409616
Current file modification time: 1332884304 (28-Mar-2012 00:38:24)
Stored file modification time : 1293860108 (01-Jan-2011 08:35:08)
Warning: The file properties have changed:
File: /sbin/sysctl
Current hash: 7e894a11a9689f16c2b105c4560e91304714f6ff
Stored hash : fe8087a027af5f591d4cd3c9d132506003c2593f
Current inode: 409763 Stored inode: 409693
Current file modification time: 1329449388 (17-Feb-2012 06:29:48)
Stored file modification time : 1272973472 (04-May-2010 14:44:32)
Warning: The file properties have changed:
File: /etc/init.d/.depend.boot
Current hash: e49ef672f3165cc5d7d224b19b96cb7b5b18e0c3
Stored hash : 11514b1427e081f8d5ae65ecfcbcfa019838853e
Current size: 2641 Stored size: 2829
Current file modification time: 1343052605 (23-Jul-2012 17:10:05)
Stored file modification time : 1342675695 (19-Jul-2012 08:28:15)
Warning: Checking for possible rootkit strings [ Warning ]
Found string 'hdparm' in file '/etc/init.d/.depend.start'. Possible rootkit: Xzibit Rootkit
Found string 'hdparm' in file '/etc/init.d/.depend.stop'. Possible rootkit: Xzibit Rootkit
Warning: Found enabled inetd service: swat
Warning: User 'privoxy' has been added to the passwd file.
Warning: Changes found in the group file for group 'winbindd_priv':
User 'proxy' has been added to the group
Warning: Hidden directory found: /dev/.udev
Warning: Hidden directory found: /dev/.initramfs
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
And:
Code:
[ Rootkit Hunter version 1.3.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ Warning ]
/bin/less [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ Warning ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/which [ OK ]
/bin/bsd-csh [ Warning ]
/bin/dash [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ Warning ]
/usr/bin/dpkg-query [ Warning ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ Warning ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/links [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/lynx [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ Warning ]
/usr/bin/pgrep [ Warning ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ Warning ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ Warning ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ Warning ]
/usr/bin/w [ Warning ]
/usr/bin/watch [ Warning ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/lwp-request [ OK ]
/usr/bin/lynx.cur [ OK ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/w.procps [ Warning ]
/sbin/chkconfig [ Warning ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ Warning ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ Warning ]
/sbin/sulogin [ Warning ]
/sbin/sysctl [ Warning ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/inetd [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide-linux26 [ OK ]
/etc/init.d/hdparm [ OK ]
/etc/init.d/.depend.boot [ Warning ]
[Press <ENTER> to continue]
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
iLLogiC Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]
Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ Warning ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Performing trojan specific checks
Checking for enabled inetd services [ Warning ]
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]
[Press <ENTER> to continue]
Checking the network...
Performing check for backdoor ports
Checking for TCP port 1524 [ Not found ]
Checking for TCP port 1984 [ Not found ]
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 6666 [ Not found ]
Checking for TCP port 6667 [ Not found ]
Checking for TCP port 6668 [ Not found ]
Checking for TCP port 6669 [ Not found ]
Checking for TCP port 7000 [ Not found ]
Checking for TCP port 13000 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 25000 [ Not found ]
Checking for TCP port 29812 [ Not found ]
Checking for TCP port 31337 [ Not found ]
Checking for TCP port 32982 [ Not found ]
Checking for TCP port 33369 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 47018 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Checking for TCP port 62883 [ Not found ]
Checking for TCP port 65535 [ Not found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
[Press <ENTER> to continue]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for SSH configuration file [ Not found ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
[Press <ENTER> to continue]
System checks summary
=====================
File properties checks...
Files checked: 141
Suspect files: 21
Rootkit checks...
Rootkits checked : 245
Possible rootkits: 2
Rootkit names : Xzibit Rootkit, Xzibit Rootkit
Applications checks...
All checks skipped
The system checks took: 2 minutes and 59 seconds
All results have been written to the log file (/var/log/rkhunter.log)
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
I am not exactly sure which packages I've upgraded... I know for a fact sysvinit was upgraded, I'm not so sure about psmisc... The stuff that was touched seems very fishy, as it's pretty much everything that deals with processes, users, and daemons.
I guess my question is... Have I been compromised? Is rkhunter aware of apt upgrades? How can I know for sure these are false flags (I'm assuming they're not for the time being)?
I'm sorry if the information that I've provided are lacking, or if I'm breaking forum etiquette in some way, hopefully once I'm done scaring the hell out of myself, I can partake in the community
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not found
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/iceweasel/.autoreg /usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.6/.path /usr/lib/jvm/java-1.5.0-gcj-4.4/.java-gcj-4.4.jinfo /lib/init/rw/.ramfs
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
bnep0: PACKET SNIFFER(/sbin/dhclient[5321])
Checking `w55808'... not infected
Checking `wted'... Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
---------- Post added 07-24-12 at 09:26 AM ----------
The chances of you having been compromised are pretty small. These tools do err on the side of caution and my take from reading the report is that you have been updating periodically, but not running this tool.
The main thing that I would recommend you do, both to be safe and to reassure yourself is to verify the program modification date/time and md5sum versus the packages. If you are running Debian (as indicated by your profile) you might be able to use the debsums for convenience, but it wouldn't hurt you to manually very a few of these.
The second thing I would recommend you do is update your root kit hunter program and read the documentation associated with it. The updates will address some of the false positives and the documentation, which is quite good and easy to understand, will help you address the rest of them.
I will also take this as an opportunity to make a 3rd, but important point. These types of tools really need to installed on a known clean system, preferably during the initial system configuration.
I second Noway2. Also, you never did say how you connect to the Internet or how many other people besides you have access to that system. If you connect through a modern router with a built-in firewall and you don't forward any ports to the outside world, then you have little to worry about.
For anything that remains, a good strategy is to Google the file name, along with the keyword RKHunter. A common warning is that a file has been replaced with a script. These types of false errors are distribution specific and RKHunter was written to be distribution generic.
With respect to the firewall, by default the Linux firewall is rather permissive. This isn't a problem because Linux does not have open ports by default and will only open the ports when you have a server application listening on them. If you desire you can add a drop all rule to the bottom of your IPTables configuration that will ensure everything remains closed unless you deliberately open it, but this is a precaution, not a safety requriment.
As long as you aren't running server processes, downloading and installing software from untrusted sites, and going to 'strange' websites, your chances of getting compromised on a desktop/laptop application are very low.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
