Chkrootkit 0.46a
Chkrootkit 0.46a
Chkrootkit 0.46a
Checks for signs of a rootkit in Puppy.
It can also check other Linux distros that you have installed
this installs only to a folder in my-applications
to uninstall, just delete the folder
Note: chkrootkit will tell you some of Puppy's files are infected. For example, it will find the string "bash" in dirname. This is because dirname is actually Busybox, which replaces dirname and replaces bash. If the checksums at the top tell you the file is ok, then it probably is ok, even if chkrootkit tells you it is infected.
http://www.chkrootkit.org/
(tested with Puppy 1.0.8, 2.0.2, and 2.10)
Checks for signs of a rootkit in Puppy.
It can also check other Linux distros that you have installed
this installs only to a folder in my-applications
to uninstall, just delete the folder
Note: chkrootkit will tell you some of Puppy's files are infected. For example, it will find the string "bash" in dirname. This is because dirname is actually Busybox, which replaces dirname and replaces bash. If the checksums at the top tell you the file is ok, then it probably is ok, even if chkrootkit tells you it is infected.
http://www.chkrootkit.org/
(tested with Puppy 1.0.8, 2.0.2, and 2.10)
Some help with the results please
Code: Select all
Checking the md5sum of some of Puppy's executables
Checking md5sum ... not infected
Checking basename ... not infected
Checking crond ... not infected
Checking crontab ... not infected
Checking dirname ... not infected
Checking echo ... not infected
Checking env ... not infected
Checking login ... not infected
Checking passwd ... not infected
Checking traceroute ... not infected
Checking init ... not infected
The above files seem to be OK
Ignore any messages that the above files are infected
Chkrootkit does not like Busybox
chkrootkit version 0.46
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... INFECTED
Checking `biff'... not found
Checking `chfn'... not found
Checking `chsh'... not found
Checking `cron'... INFECTED
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... INFECTED
Checking `echo'... INFECTED
Checking `egrep'... not infected
Checking `env'... INFECTED
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... INFECTED
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not found
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... INFECTED
Checking `vdir'... not found
Checking `w'... strings; w: No such file or directory
not infected
Checking `write'... strings; write: No such file or directory
ls: write: No such file or directory
not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... nothing found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 1 process hidden for readdir command
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... /proc/16423/fd: No such file or directory
eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... unable to open lastlog-file lastlog
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 15480 pts/0 /bin/sh ./chkrootkit-p
! root 15517 pts/0 /bin/sh ./chkrootkit
! root 16479 pts/0 ./chkutmp
! root 16480 pts/0 ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Press the <enter> key to close this window
that looks normal
at the top, the md5sums of Puppy's executables (md5sum, basename, crond etc etc etc) are all ok (not infected)
they are all just symlinks to Busybox anyway
the rest of the output is from the unmodifed Chkrootkit program ... i could have modified it, but i preferred to leave it alone
it does not like basename, cron, dirname, echo etc etc etc, but if you look at the beginning of the output, they are all ok
the reason it does not like these programs, is because they are all symlinks to Busybox, and Busybox has a lot of strings in the executable that belong to other programs ... for example, Chkrootkit finds the string "bash" in the dirname program, so it says it is infected ... but Busybox replaces bash, so it's not surprising the word bash was found in the executable
so those programs that Chkrootkit thinks are infected are ok, because the md5sums at the top of the output are ok (i used the public domain program md5deep to calculate the md5sums, rather than trust Puppy's md5sum program ... which is just Busybox anyway)
some of the programs it checked were not found ... so they are obviously not infected if they are not there
chkutmp found 4 processes running that are not listed in the utmp log, but the processes all belong to running chkrootkit, so that's ok
the only thing suspicious is "You have 2 process hidden for ps command" ... Puppy's ps does not work with chkrootkit, so i had to include a real ps executable
i suspect you will find that the "hidden" processes are actually Mozilla or Firefox threads ... you can see them in Puppy's ps but not in the real ps program ... i'm not sure why they are flagged as hidden
this is not a really useful test, because it's checking to see if the ps program is hiding any processes ... but Puppy's ps does not work with chkrootkit, so it's really checking the included ps program
anyway, just shut down Mozilla and Firefox and try the test again, to see if the hidden processes disappear too ... if the hidden processes go away, you know it was just Mozilla or Firefox
so the "infected" programs are Busybox, and if the "hidden" processes are Mozilla threads, then there are no real problems
the new bugfixed geany is hidden from Busybox's pidof and killall too, though it's visible in ps ... i don't know why ... Geany 0.8 in Puppy 2.10 beta is visible to Busybox's pidof/killall
at the top, the md5sums of Puppy's executables (md5sum, basename, crond etc etc etc) are all ok (not infected)
they are all just symlinks to Busybox anyway
the rest of the output is from the unmodifed Chkrootkit program ... i could have modified it, but i preferred to leave it alone
it does not like basename, cron, dirname, echo etc etc etc, but if you look at the beginning of the output, they are all ok
the reason it does not like these programs, is because they are all symlinks to Busybox, and Busybox has a lot of strings in the executable that belong to other programs ... for example, Chkrootkit finds the string "bash" in the dirname program, so it says it is infected ... but Busybox replaces bash, so it's not surprising the word bash was found in the executable
so those programs that Chkrootkit thinks are infected are ok, because the md5sums at the top of the output are ok (i used the public domain program md5deep to calculate the md5sums, rather than trust Puppy's md5sum program ... which is just Busybox anyway)
some of the programs it checked were not found ... so they are obviously not infected if they are not there
chkutmp found 4 processes running that are not listed in the utmp log, but the processes all belong to running chkrootkit, so that's ok
the only thing suspicious is "You have 2 process hidden for ps command" ... Puppy's ps does not work with chkrootkit, so i had to include a real ps executable
i suspect you will find that the "hidden" processes are actually Mozilla or Firefox threads ... you can see them in Puppy's ps but not in the real ps program ... i'm not sure why they are flagged as hidden
this is not a really useful test, because it's checking to see if the ps program is hiding any processes ... but Puppy's ps does not work with chkrootkit, so it's really checking the included ps program
anyway, just shut down Mozilla and Firefox and try the test again, to see if the hidden processes disappear too ... if the hidden processes go away, you know it was just Mozilla or Firefox
so the "infected" programs are Busybox, and if the "hidden" processes are Mozilla threads, then there are no real problems
the new bugfixed geany is hidden from Busybox's pidof and killall too, though it's visible in ps ... i don't know why ... Geany 0.8 in Puppy 2.10 beta is visible to Busybox's pidof/killall
Thank You !
Thanks so very much as I am just learning to use linux I rarely understand
the output provided top, kp, ect....
Again thanks so very much for your insight!
the output provided top, kp, ect....
Again thanks so very much for your insight!
if you want to see what the processes are that Chkrootkit thinks are hidden, you can click "console" in the bin folder, then type:
for help:
./chkrootkit -h
for a list of the tests that are available:
./chkrootkit -l
to run the lkm test:
./chkrootkit -x lkm
this should show you what the processes are that it doesn't think are right
click the console file in bin, don't just Open An Xterm Here, because it sets up the PATH for chkrootkit
for help:
./chkrootkit -h
for a list of the tests that are available:
./chkrootkit -l
to run the lkm test:
./chkrootkit -x lkm
this should show you what the processes are that it doesn't think are right
click the console file in bin, don't just Open An Xterm Here, because it sets up the PATH for chkrootkit
Just found this while doing a search on the board for syslogd. At first I though my hard drive was dying until I read a bit more on the web and found this thread.
My hard drive light has been on for several hours and syslogd has been running. This shows many files as infected. I am guessing I downloaded something with lime-wire that wasn't what I thought it was. Headed to see if I can still install antivirus or if it is too late.
My hard drive light has been on for several hours and syslogd has been running. This shows many files as infected. I am guessing I downloaded something with lime-wire that wasn't what I thought it was. Headed to see if I can still install antivirus or if it is too late.
Puppy Linux...
It just works!
It just works!
your system may be infected with something, but it probably isn't
Puppy uses the busybox executable to replace many of the GNU Utils, like md5sum, basename, crond, crontab, dirname, echo, env, traceroute, init ...
Chkrootkit does not like Busybox ... it looks for suspicious text in the executables, and find strings of text in Busybox that it thinks should not be there
for example, it does not like "bash" in the dirname executable ... but in Puppy, dirname is busybox, and busybox is the ash shell, so busybox has the word bash in it ... Chkrootkit does not like this, so it reports dirname as being infected ... but it is not
i could have edited the Chkrootkit script, to make it compatible with Puppy, but i didn't ... i checked the md5sums of the executables that Chkrootkit doesn't like and ran that first
the thing is, if the first part of the program says that those executables are ok, but Chkrootkit says they are infected, then they are probably ok and you can ignore those messages that those files are infected
if the output of the program looks like this:
Checking the md5sum of some of Puppy's executables
Checking md5sum ... not infected
Checking basename ... not infected
Checking crond ... not infected
Checking crontab ... not infected
Checking dirname ... not infected
Checking echo ... not infected
Checking env ... not infected
Checking login ... not infected
Checking passwd ... not infected
Checking traceroute ... not infected
Checking init ... not infected
then those files should be OK, and you should ignore the INFECTED messages about those files later on
you probably do not have infected files
Puppy uses the busybox executable to replace many of the GNU Utils, like md5sum, basename, crond, crontab, dirname, echo, env, traceroute, init ...
Chkrootkit does not like Busybox ... it looks for suspicious text in the executables, and find strings of text in Busybox that it thinks should not be there
for example, it does not like "bash" in the dirname executable ... but in Puppy, dirname is busybox, and busybox is the ash shell, so busybox has the word bash in it ... Chkrootkit does not like this, so it reports dirname as being infected ... but it is not
i could have edited the Chkrootkit script, to make it compatible with Puppy, but i didn't ... i checked the md5sums of the executables that Chkrootkit doesn't like and ran that first
the thing is, if the first part of the program says that those executables are ok, but Chkrootkit says they are infected, then they are probably ok and you can ignore those messages that those files are infected
if the output of the program looks like this:
Checking the md5sum of some of Puppy's executables
Checking md5sum ... not infected
Checking basename ... not infected
Checking crond ... not infected
Checking crontab ... not infected
Checking dirname ... not infected
Checking echo ... not infected
Checking env ... not infected
Checking login ... not infected
Checking passwd ... not infected
Checking traceroute ... not infected
Checking init ... not infected
then those files should be OK, and you should ignore the INFECTED messages about those files later on
you probably do not have infected files
syslogd just prints (error) messages to /var/log/messages
if your drive light is on a lot, maybe you are using a lot of your swap space
do you use tkpppoe (Roaring Penguin)? ... it has some sort of memory allocation problem in Puppy 2.10, and you can't leave it running for any length of time, or it will allocate more and more memory until your machine bogs down
if you have tkpppoe running, just click exit ... your adsl connection will still be connected
or you might have something else allocating memory ... is there anything that shows up if you type top in an xterm/rxvt/console/terminal window? ... look in the RSS column for something using a lot of memory
you can see how much swap space is being used by typing free
if your drive light is on a lot, maybe you are using a lot of your swap space
do you use tkpppoe (Roaring Penguin)? ... it has some sort of memory allocation problem in Puppy 2.10, and you can't leave it running for any length of time, or it will allocate more and more memory until your machine bogs down
if you have tkpppoe running, just click exit ... your adsl connection will still be connected
or you might have something else allocating memory ... is there anything that shows up if you type top in an xterm/rxvt/console/terminal window? ... look in the RSS column for something using a lot of memory
you can see how much swap space is being used by typing free
Well that is good news and bad news then. I tried several different ways of installing fprot and it will not run with errors on the updates and the program itself, partly because I cant get it to update. I am going to look for the newer files and replace them manually but many things that were once working do not seem to be there any longer.
I attempted a backup to cd and it reports the disks are not blank although they are new. This seems to coinside with a failed firefox update yesterday which killed the browser and required a fresh instalation. I see today there is a new update waiting to install but have not restarted the browser yet. Although this hard drive is only a month old I an beginning to believe it may be the culprit. There were many errors on my last reboot and I don't believe it will survive the next one so I will be back to live cd in ram next.
Would a failing drive cause syslogd to attempt to write to the drive constantly?
I attempted a backup to cd and it reports the disks are not blank although they are new. This seems to coinside with a failed firefox update yesterday which killed the browser and required a fresh instalation. I see today there is a new update waiting to install but have not restarted the browser yet. Although this hard drive is only a month old I an beginning to believe it may be the culprit. There were many errors on my last reboot and I don't believe it will survive the next one so I will be back to live cd in ram next.
Would a failing drive cause syslogd to attempt to write to the drive constantly?
Puppy Linux...
It just works!
It just works!
you might have something screwed up in your system
you might even have some sort of infection
if Chkrootkit says at the top that those particular files are OK, then those particular files probably are OK
syslogd should be writing to /var/log/messages
what is it writing in the messages file? ... you could type
tail /var/log/messages to see the last 10 lines of the messages file
if you have logging enabled in your firewall, it will log blocked packets ... it's possible that your machine is being scanned, and it's filling the message file with log messages from iptables
input/output errors when reading and writing to your hard drive would be logged, i think ... it is possible that your hard drive is failing, it does happen ... what do you get if you type dmesg ?
you might even have some sort of infection
if Chkrootkit says at the top that those particular files are OK, then those particular files probably are OK
syslogd should be writing to /var/log/messages
what is it writing in the messages file? ... you could type
tail /var/log/messages to see the last 10 lines of the messages file
if you have logging enabled in your firewall, it will log blocked packets ... it's possible that your machine is being scanned, and it's filling the message file with log messages from iptables
input/output errors when reading and writing to your hard drive would be logged, i think ... it is possible that your hard drive is failing, it does happen ... what do you get if you type dmesg ?
I was able to get fprot updated manually and run it. I think I got it. There was a windows program I downloaded for my wife that seems to have been causing the problem. I haven't rebooted yet but once I deleted the program my drive quieted right down. It kept causing this error repetedly. I am guessing it was trying to start itself over and over.
I found a "test" file in 8 different places, 3 in the firefox cache and I assume since they are listed as elcar_test_file (exact) that that was all they were. It is really nice to see the HD light off and the processor back to normal.
If nothing else, let this serve as a warning that even though I did not have a major infection you can still run into problems downloading things that are questionable. It makes no difference what it is named if it is not what it claims it is. Funny thing was I was going to install fprot to check the file before I let her install it on her windows machine.
By the way, the only other thing it found was a suspicious pup.
/root/dotpups-downloads/Abby.pup could be an archive bomb
Wish me luck, I am going for the reeboot.
Code: Select all
EXT2-fs error (device ide0(3,1)): ext2_new_block: Free blocks count corrupted for block group 9
If nothing else, let this serve as a warning that even though I did not have a major infection you can still run into problems downloading things that are questionable. It makes no difference what it is named if it is not what it claims it is. Funny thing was I was going to install fprot to check the file before I let her install it on her windows machine.
By the way, the only other thing it found was a suspicious pup.
/root/dotpups-downloads/Abby.pup could be an archive bomb
Wish me luck, I am going for the reeboot.
Puppy Linux...
It just works!
It just works!
the EICAR Standard Anti-Virus Test File is a harmless text file that is used to test antivirus programs
Xfprot has the file in it, so this package can set off antivirus alarms ... but it is not a virus
i have a dotpup on my download page that will download and install the latest F-Prot program ... i also have an Xfprot 1.15 program for people who prefer gui's to the command line ... or someone made a package of f-Prot and Xfrot
http://puppylinux.org/wikka/DotPups
an archive bomb is a zip file that is very small but that will blow up into a huge file or files
Puppy's zipped pup001 file for NTFS would be an archive bomb
archive bombs are sent through mail servers with antivirus programs that unzip and check each attachment, hoping to crash the antivirus program when it tries to unzip the attachment
i'm not sure what you have on your machine ... a Windows program running in Wine? ... Wine can run viruses as well ad legitimate programs ... or if you are running Linux or Windows ... anyway, if you solved the problem, that's good
Xfprot has the file in it, so this package can set off antivirus alarms ... but it is not a virus
i have a dotpup on my download page that will download and install the latest F-Prot program ... i also have an Xfprot 1.15 program for people who prefer gui's to the command line ... or someone made a package of f-Prot and Xfrot
http://puppylinux.org/wikka/DotPups
an archive bomb is a zip file that is very small but that will blow up into a huge file or files
Puppy's zipped pup001 file for NTFS would be an archive bomb
archive bombs are sent through mail servers with antivirus programs that unzip and check each attachment, hoping to crash the antivirus program when it tries to unzip the attachment
i'm not sure what you have on your machine ... a Windows program running in Wine? ... Wine can run viruses as well ad legitimate programs ... or if you are running Linux or Windows ... anyway, if you solved the problem, that's good
by the way:
tinyapps.org
"VirusTotal offers free scanning of uploaded (or emailed) files using over 20 antivirus and antispyware engines"
http://www.virustotal.com/en/indexx.html
http://www.virustotal.com/en/virustotalx.html
i have not tried this, but i have uploaded files to Kaspersky to check.
tinyapps.org
"VirusTotal offers free scanning of uploaded (or emailed) files using over 20 antivirus and antispyware engines"
http://www.virustotal.com/en/indexx.html
http://www.virustotal.com/en/virustotalx.html
i have not tried this, but i have uploaded files to Kaspersky to check.
The program of course was not what it reported to be. It was named net_spite_and_malace_setup.exe It was supposed to be a card game that my sweetie played online with others that I forgot to backup when I upgraded her computer to xp. I did not suspect the file since many people had it and the size looked about right for the game.
Obviously it was something entirely different. I should have known when there was also some network activity to go along with the constant writes to the HD. Just goes to show you.
BTW, she only runs xp because she can't deal without her pogo games, (an EA Games website) which requiers Internet Exploiter so it can install all the nasties. Maybe someday I can convert her too. You should see that 2.4ghz machine on puppy though, it responds before you click.
I have been looking through things and I don't think anything else was damaged, (Except possibly my ego) so I can continue to mess things up myself Thanks so much for jumping in so quickly to answer my questions.
Obviously it was something entirely different. I should have known when there was also some network activity to go along with the constant writes to the HD. Just goes to show you.
BTW, she only runs xp because she can't deal without her pogo games, (an EA Games website) which requiers Internet Exploiter so it can install all the nasties. Maybe someday I can convert her too. You should see that 2.4ghz machine on puppy though, it responds before you click.
I have been looking through things and I don't think anything else was damaged, (Except possibly my ego) so I can continue to mess things up myself Thanks so much for jumping in so quickly to answer my questions.
Puppy Linux...
It just works!
It just works!
im sure there are some false positives there. maybe upload one of the "infected" files to the forum, i will download and check it out (really, if its in puppy, it should be safe as an attachment-- at least for me. dont anyone else download it, lol.)
for one, i will use a more recent chkrootkit. and i will look it up online, etc. to see what its status is. init is probably a shell script, so... thats probably ok
for one, i will use a more recent chkrootkit. and i will look it up online, etc. to see what its status is. init is probably a shell script, so... thats probably ok