08-03-2004, 02:27 PM
|
|
Junior Guru Wannabe
|
|
Join Date: May 2004
Posts: 42
|
|
hi,
I run "chkrootkit" on one of my servers, because this machine seems to be hacked, and the result report is not too clear.
Does someone know another software to found possible root kits or infected binary files?
Thank you very much;
|
08-03-2004, 02:36 PM
|
|
Aspiring Evangelist
|
|
Join Date: Apr 2002
Location: UK
Posts: 429
|
|
|
08-03-2004, 02:52 PM
|
|
Been around for too long...
|
|
Join Date: Aug 2002
Location: DC
Posts: 3,636
|
|
Quote:
Originally posted by Luciano
hi,
I run "chkrootkit" on one of my servers, because this machine seems to be hacked, and the result report is not too clear.
Does someone know another software to found possible root kits or infected binary files?
Thank you very much;
|
What is the output of chkrootkit?
- Matt
|
08-03-2004, 02:56 PM
|
|
Web Hosting Master
|
|
Join Date: Dec 2001
Posts: 5,221
|
|
Greeings:
INFECTED, not infected, what's not too clear?
Though of note, cpanel will report port 465 infected when it is not.
http://www.rootkit.nl/ will probably have similar, technical, output.
Thank you.
|
08-03-2004, 03:26 PM
|
|
Web Hosting Guru
|
|
Join Date: Mar 2003
Location: Rio de Janeiro - Brazil
Posts: 291
|
|
Quote:
Originally posted by dynamicnet
INFECTED, not infected, what's not too clear?
|
LOL. Pretty clear to me 
|
08-03-2004, 03:39 PM
|
|
Web Hosting Master
|
|
Join Date: Dec 2001
Location: NYC
Posts: 1,902
|
|
Paste the output if you are unsure what it says.
__________________
██ SCHostPRO.com ██
º Powered by DirectAdmin with iTron
º Shared + Reseller Hosting
º Hosting with that special sauce
|
08-03-2004, 05:57 PM
|
|
Web Hosting Master
|
|
Join Date: Apr 2003
Location: NC
Posts: 2,911
|
|
When in doubt you can also almost always google what is infected and find information  If you post it here we can help as well.
|
08-03-2004, 06:02 PM
|
|
Junior Guru Wannabe
|
|
Join Date: May 2004
Location: India
Posts: 91
|
|
Some of script of cpanel and some perl modules give genarates error msg in chkrootkit. rkhunter is more better than that. Try to use that.
__________________
Helpdesk : Sir, you need to add 10GB space to your HD , Customer : Could you please tell where I can download that?
|
08-04-2004, 01:14 PM
|
|
Junior Guru Wannabe
|
|
Join Date: May 2004
Posts: 42
|
|
After run "./chkrookit -p binarypath report"
It detect:
XX hidden process on Ps command
XX hidden process showdir (ls)
XX possible lkm installed
the problem is that this alerts disappears after rebooting the server. I was studying about that, and I noticed ( http://www.chkrootkit.org) that this because "proc" activity, I'm running ENSIM pro over RedHat Enterprise, and like you know, there are to many "short" processes be written on this directory.
Thats why I want to run another software, to avoid false possitives.
Do you know another one?
<<Signature to be setup in your profile>>
Last edited by anon-e-mouse; 08-04-2004 at 05:24 PM.
|
08-04-2004, 01:28 PM
|
|
Web Hosting Master
|
|
Join Date: Apr 2003
Location: NC
Posts: 2,911
|
|
Quote:
Originally posted by disoft
You could try rkhunter.
|
As posted above rkhunter is what most people use with/instead of chkrootkit.
|
08-04-2004, 01:34 PM
|
|
<?require_once("life")?>
|
|
Join Date: Sep 2002
Location: inside your network
Posts: 9,548
|
|
ditto for rkhunter, it's 100x better than chkrootkit, it checks binaries against md5, it checks various other stuff, crap that chkrootkit just forgets about.
As far as the output, how hard is it (really) to comprehend INFECTED/NOT INFECTED ? Admittedly 465 on a cpanel server (or most servers) will always show up as "infected", but the rest shouldn't at all.
If you get "INFECTED", then google it, it's your best bet.
__________________
Linux Tech Networks Reliable, Affordable Linux administration and monitoring since 2002
|
Related posts from TheWhir.com
|
| Title |
Type |
Date Posted |
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
