I compiled and ran chkrootkit -0.49 (referred to in the discussion on PET files http://www.chkrootkit.org/) on my Puppy Linux 4.3.1 frugal install and it's coming back and telling me that it is infected. I note that the last release date of this software is 2009, or so it would appear from the website. I'd appreciate your thoughts, anyone?
Yorkie
Here's what I logged in rxvt:
[/code]ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Digest/SHA1/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/HTML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Simple/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/XML/Parser/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/Compress/Zlib/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/Depends/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/ExtUtils/PkgConfig/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/auto/URI/.packlist /usr/lib/perl5/5.8.8/i486-t2-linux-gnu/.packlist /usr/lib/perl5/site_perl/5.8.8/i486-t2-linux-gnu/auto/Git/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
16 /usr/share
1 /usr/share/vala
1 /usr/share/kbd
2 /usr/share/kbd/keymaps
2 /usr/share/kbd/keymaps/i386
1 /usr/share/cups
2 /usr/share/ayttm
2 /usr/share/ayttm/smileys
1 /usr/share/pixmaps
3 /usr/share/doc
2 /usr/share/icons
14 /usr/share/icons/hicolor
1 /usr/share/icons/hicolor/64x64
2 /usr/share/icons/hicolor/24x24
3 /usr/share/icons/hicolor/22x22
2 /usr/share/icons/hicolor/48x48
2 /usr/share/icons/hicolor/scalable
2 /usr/share/icons/hicolor/32x32
1 /usr/share/icons/hicolor/128x128
3 /usr/share/icons/hicolor/16x16
1 /lib
2 /lib/modules
chkdirs: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... wlan0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Wed Dec 31 20:00:00 1969 and Wed Mar 23 13:33:33 2011
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... Checking `chkutmp'... => possibly 1 deletion(s) detected in /var/run/utmp !
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 8909 tty1 /bin/sh /usr/bin/xwin
! root 8910 tty2 /sbin/getty 38400 tty2
! root 8916 tty3 /sbin/getty 38400 tty3
! root 9216 tty1 /usr/bin/xinit /root/.xinitrc -- -br -nolisten tcp
! root 9217 tty4 X :0 -br -nolisten tcp
! root 9237 tty1 jwm
! root 9289 tty1 /bin/ash /sbin/pup_event_frontend_d
! root 9321 tty1 /usr/local/apps/ROX-Filer/ROX-Filer -p /root/Choices/ROX-Filer/PuppyPin
! root 9322 tty1 [delayedrun] <defunct>
! root 9325 tty1 absvolume -bg #DCDAF5
! root 9370 tty1 xload -nolabel -bg #888888 -fg red -hl white
! root 9372 tty1 freememapplet
! root 9376 tty1 blinky -bg #DCDAD5
! root 9995 tty1 geany /root/my-documents/chkrootkit-0.49/README
! root 10164 tty1 rxvt
! root 10168 pts/0 bash
! root 10423 tty1 /usr/bin/inotifywait -e modify --format %w /tmp/pup_event_sizefreem
! root 14113 pts/0 /bin/sh ./chkrootkit
! root 14114 pts/0 tee rootkitlog.txt
! root 15496 tty1 sleep 2
! root 15519 pts/0 ./chkutmp
! root 15520 pts/0 ps-FULL ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected