On 19 fév, 20:33, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On 19 Feb 2007, in the Usenet newsgroup comp.os.linux.networking, in article
>
> <1171882458.782897.245...@p10g2000cwp.googlegroups .com>,slourtywrote:
> >I had this message with rkhunter:
>
> Did you review what this "tool" is doing, or are you hoping that it is a
> magic tool that may find mal-ware?
It is a "magic tool that find mal-ware" but maybe you know a better
way...
>
> >[07:41:14] WARNING, found /dev/.static (directory) /dev/.udev
> >(directory) /dev/.initramfs (directory) /etc/.java (directory)
>
> OK - let's start with the obvious. What distribution is this?
I am on Ubuntu it is the home worstation 6.10, everything is up to
date, and I use it a little bit for apache server and ssh with I think
a big password (12 letters).
> What release? (try 'cat /etc/*release /etc/*version'). What is the system
> used for - home workstation?Internet server?
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=6.10
DISTRIB_CODENAME=edgy
DISTRIB_DESCRIPTION="Ubuntu 6.10"
testing/unstable
I use it like a server and a workstation but it is the workstation
version I use
> What version of rkunter?
Rootkit Hunter 1.2.8
>
> Directories that begin with a dot (.) are somewhat suspicious, as they
> won't show in a directory listing unless you include the '-a' or '-A'
> option to 'ls'. Did you create these directories?
> Do they belong to some application? Does your package manager tell you what package
> they belong to?
No, but just before to do an apt-get ask me to do write "apt-get
autoremove" because it said there is some files not used, this files
was "Eclipse's files".
> What is inside these directories?
kb@kb-desktop:~$ cd /dev/.
../ ../ .initramfs/ .static/ .udev/
kb@kb-desktop:~$ ls -a /dev/.static/
.. .. dev
kb@kb-desktop:~$ ls -a /dev/.static/dev/
.. i2c-5 mixer3 ram6 rfcomm26 scd16 sg8
tty
... i2c-6 mpu401data ram7 rfcomm27 scd2 sg9
tty0
agpgart i2c-7 mpu401stat ram8 rfcomm28 scd3 shm
tty1
apm_bios kmem null ram9 rfcomm29 scd4 smpte0
tty2
audio loop0 parport0 random rfcomm3 scd5 smpte1
tty3
audio1 loop1 parport1 raw1394 rfcomm30 scd6 smpte2
tty4
audio2 loop2 parport2 rfcomm0 rfcomm31 scd7 smpte3
tty5
audio3 loop3 port rfcomm1 rfcomm4 scd8 sndstat
tty6
audioctl loop4 ppp rfcomm10 rfcomm5 scd9 sr0
tty7
ccub0 loop5 ptmx rfcomm11 rfcomm6 sequencer sr1
tty8
ccub1 loop6 pts rfcomm12 rfcomm7 sg0 sr10
tty9
ccub2 loop7 ram rfcomm13 rfcomm8 sg1 sr11
ttyUB0
ccub3 MAKEDEV ram0 rfcomm14 rfcomm9 sg10 sr12
ttyUB1
console mem ram1 rfcomm15 rmidi0 sg11 sr13
ttyUB2
core midi0 ram10 rfcomm16 rmidi1 sg12 sr14
ttyUB3
dsp midi00 ram11 rfcomm17 rmidi2 sg13 sr15
urandom
dsp1 midi01 ram12 rfcomm18 rmidi3 sg14 sr16
vhci
dsp2 midi02 ram13 rfcomm19 scd0 sg15 sr2
xconsole
dsp3 midi03 ram14 rfcomm2 scd1 sg16 sr3
zero
full midi1 ram15 rfcomm20 scd10 sg2 sr4
i2c-0 midi2 ram16 rfcomm21 scd11 sg3 sr5
i2c-1 midi3 ram2 rfcomm22 scd12 sg4 sr6
i2c-2 mixer ram3 rfcomm23 scd13 sg5 sr7
i2c-3 mixer1 ram4 rfcomm24 scd14 sg6 sr8
i2c-4 mixer2 ram5 rfcomm25 scd15 sg7 sr9
kb@kb-desktop:~$ ls -a /dev/.udev/
.. .. db failed uevent_seqnum [uevent_seqnum is an empty file]
kb@kb-desktop:~$ ls -a /dev/.udev/db/
.. class@(E-Mail Removed)0 class@sound@pcmC1D1c
... class@(E-Mail Removed)0 class@sound@pcmC1D1p
block@hda class@input@input0@event0 class@sound@seq
block@hda@hda1 class@input@input1@event1 class@sound@timer
block@hda@hda2 class@input@input2@event2
class@usb_device@usbdev1.1
block@hda@hda5 class@input@input3@event3
class@usb_device@usbdev1.3
block@hdb class@input@input3@mouse0
class@usb_device@usbdev2.1
block@hdb@hdb1 class@input@input3@ts0
class@usb_device@usbdev3.1
block@hdb@hdb2 class@input@mice
class@usb_device@usbdev4.1
block@hdb@hdb5 class@sound@controlC0
class@video4linux@radio0
block@hdc class@sound@controlC1
class@video4linux@vbi0
block@hdd class@sound@pcmC0D0c
class@video4linux@video0
class@(E-Mail Removed)0 class@sound@pcmC1D0c
class@(E-Mail Removed)0 class@sound@pcmC1D0p
kb@kb-desktop:~$ ls -a /dev/.udev/failed/
.. devices@pnp0@00:00
devices@pnp0@00:07
... devices@pnp0@00:02
devices@pnp0@00:09
devices@pci0000:00@0000:00:06.4 devices@pnp0@00:03
devices@pnp0@00:0a
devices@platform@i8042@serio1 devices@pnp0@00:06
kb@kb-desktop:~$ ls -a /etc/.java/
.. .. .systemPrefs
kb@kb-desktop:~$ ls -a /etc/.java/.systemPrefs/
.. .. .system.lock .systemRootModFile [Empty files]
>
> >If you're unsure about the result above, please contact the author of
> >Rootkit Hunter. Fill in contact form:http://www.rootkit.nl/contact/
>
> Have you done that?
not yet, if I can't find what is it now I will do that
>
> >Some errors has been found while chicking. Please perform a manual
> >check on this machine ********
>
> 'rkhunter' and the some-what comparable 'chkrootkit' are windoze wannabe
> "tools" that look for signs that were found in old root kits. For
> example, they look for a file named "/tmp/.../a" or "/tmp/.../r" and if
> they find that, they declare that you are infected with the 55808.A worm.
> If you think this is good testing, think also that the rootkit author has
> only to rename the file to "/tmp/.../b" to defeat this test.
Yes of course, so the only way to know if I am infected is to check
log file and if the connexion is not to slow
>
> Most (if not all) posts that I have seen of people reporting finding
> problems with rkhunter and chkrootkit have been false alarms. Given the
> ease in defeating many of the tests, only the poorest root kit should
> be found. None the less, those directories are of concern and should
> be investigated. However, much more details are needed for someone to
> offer help/explanations to you.
>
> >What should I do
>
> Do those directories belong there? Are they innocent?
I really don't know!
>
> >(what am I suppose to check and how?)?
>
> Depends on your distribution
>
> >it is a mistake? Do have I a rootkit or any secority problem?
>
> Possibly - but we don't have enough information to say.
>
> Old guy
Thank you for your help
Slourty
Linear Mode
