Mageia forum

share the magic

Skip to content

[SOLVED] help with rkhunter possible rootkits

This forum is dedicated to basic help and support :

Ask here your questions about basic installation and usage of Mageia. For example you may post here all your questions about getting Mageia isos and installing it, configuring your printer, using your word processor etc.

Try to ask your questions in the right sub-forum with as much details as you can gather. the more precise the question will be, the more likely you are to get a useful answer
Post a reply

[SOLVED] help with rkhunter possible rootkits

Postby ultratron » Jun 23rd, '12, 14:30

Hi
Please bear with me as this is a mess. I am not used to reporting these types of issues. Thanks.

I have a box that seems to be working fine. But I installed chkrootkit and rkhunter and ran tests as part of my security checkup I do every once in a while. Anyhow, multiple runs of rhunter, even after rkhunter -update -propupd, show the following:

Code: Select all
Warning: GasKit Rootkit                           [ Warning ]
         Directory '/dev/dev' found
Warning: The following processes are using suspicious files:
         Command: crond
           UID: 0    PID: 817
           Pathname: /etc/crontab
           Possible Rootkit: Unknown rootkit
Warning: Suspicious file types found in /dev:
         /dev/shm/libv4l-dualio:usb-0000:00:12.0-1:046d:0920:USB Camera (046d:0920): data

Here is the rkhunter.log part:
Code: Select all
[07:43:51] Checking for GasKit Rootkit...
[07:43:51]   Checking for file '/dev/dev/gaskit/sshd/sshdd'  [ Not found ]
[07:43:51]   Checking for directory '/dev/dev'               [ Found ]
[07:43:51]   Checking for directory '/dev/dev/gaskit'        [ Not found ]
[07:43:51]   Checking for directory '/dev/dev/gaskit/sshd'   [ Not found ]
[07:43:51] Warning: GasKit Rootkit                           [ Warning ]
[07:43:51]          Directory '/dev/dev' found
[07:43:51]


Chkrootkit shows:
Code: Select all
Searching for Suckit rootkit... Warning: /sbin/init INFECTED

But google shows this to be a false positive.

I had plugged in a webcam a few days back so I think that might be the rkhunter /dev/shm warning. I think this might false positive. I am worried about the crond unknown rootkit and the gaskit. I ran rkhunter on another mageia machine I have and the crond and gaskit warnigs show up. Both machines are Mageia 2 64 bit. My /var/log/messages is huge, there is one part that I cant figure out The only thing that looks weird to me is June 20 at 18:35. I logged in as root in the terminal to remove samba server as I did not know the package name. That did not work so I went in to mcc to remove it. It worked fine but around the same time I was doing this, I am unsure of the lines following like running: /bin/mountpoint -q /sys/fs/cgroup/systemd Detected systemd running. Using systemctl introspection. I have not seen these type of lines in any of my /var/log/messages.:

Code: Select all
Jun 20 18:35:01 localhost urpme: called with: samba
Jun 20 18:35:04 localhost drakconf.real[31503]: ### Program is starting ###
Jun 20 18:35:08 localhost rpmdrake[31519]: ### Program is starting ###
Jun 20 18:35:10 localhost rpmdrake[31519]: opening the RPM database
Jun 20 18:35:33 localhost drakxservices[31546]: ### Program is starting ###
Jun 20 18:35:33 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:33 localhost drakxservices[31546]: Detected systemd running. Using systemctl introspection.
Jun 20 18:35:33 localhost drakxservices[31546]: running: /bin/systemctl --full --all list-units
Jun 20 18:35:33 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled acpid.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled alsa-restore.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled alsa-store.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled avahi-daemon.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled colord.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled console-kit-daemon.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled console-kit-log-system-start.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled cpufreq.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled crond.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled cups.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled dbus.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled display-manager-failure.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled dracut-shutdown.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled emergency.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-autorelabel-mark.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-autorelabel.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-configure.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-loadmodules.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-readonly.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-storage-init-late.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-storage-init.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fedora-wait-storage.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled fsck-root.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled halt-local.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled halt.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled hddtemp.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled hsqldb.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled ip6tables.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled iptables.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled irqbalance.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled killall.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled lm_sensors.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mandi.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mandriva-boot-links.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mandriva-clean-var-run-lock.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mandriva-everytime.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mandriva-kmsg-loglevel.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mandriva-save-dmesg.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled microcode_ctl.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled msec.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mysqld.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled mythbackend.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled netconsole.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled network-auth.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled network-up.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled network.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled nfs-common.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled nfs-server.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled ntpd.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled ntpdate.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled numlock.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled partmon.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled plymouth-quit-wait.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled plymouth-quit.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled plymouth-read-write.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled plymouth-start.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled polkitd.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled poweroff.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled prefdm.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled preload.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled proc-bus-usb-setup.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled rc-local.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled reboot.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled remount-rootfs.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled rescue.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled resolvconf.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled rpcbind.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled rsyslog.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled sensord.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled shorewall.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled single.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled smartd.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-ask-password-console.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-ask-password-plymouth.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-ask-password-wall.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-binfmt.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-initctl.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-journald.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-logind.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-modules-load.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-random-seed-load.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-random-seed-save.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-readahead-collect.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-readahead-done.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-readahead-replay.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-remount-api-vfs.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-shutdownd.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-sysctl.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-tmpfiles-clean.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-tmpfiles-setup.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-update-utmp-runlevel.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-update-utmp-shutdown.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-user-sessions.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled systemd-vconsole-setup.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled udev-settle.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled udev-trigger.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled udev.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled udisks2.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled udisksd.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-enabled upowerd.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /sbin/chkconfig --list --type xinetd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /sbin/chkconfig --list --type xinetd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active acpid.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active alsa-restore.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active alsa-store.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active avahi-daemon.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active colord.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active console-kit-daemon.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active console-kit-log-system-start.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active cpufreq.service
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:34 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active crond.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active cups.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active dbus.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active display-manager-failure.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active dracut-shutdown.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active emergency.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-autorelabel.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-autorelabel-mark.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-configure.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-loadmodules.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-readonly.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-storage-init.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-storage-init-late.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fedora-wait-storage.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active fsck-root.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active halt.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active halt-local.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active hddtemp.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active hsqldb.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active ip6tables.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active iptables.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active irqbalance.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active killall.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active lm_sensors.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mandi.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mandriva-boot-links.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mandriva-clean-var-run-lock.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mandriva-everytime.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mandriva-kmsg-loglevel.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mandriva-save-dmesg.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active microcode_ctl.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active msec.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mysqld.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active mythbackend.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active netconsole.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active network.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active network-auth.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active network-up.service
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/mountpoint -q /sys/fs/cgroup/systemd
Jun 20 18:35:35 localhost drakxservices[31546]: running: /bin/systemctl --quiet is-active nfs-common.service
Jun 20 18:35:35 localhost rsyslogd-2177: imuxsock begins to drop messages from pid 31546 due to rate-limiting


I am unable to reproduce these lines by launching mcc. I run mythtv 24/7 on the machine. I have a firewall up excluding open ports for my hdhomeruns. I have a network hp printer. I do not see any attacks in my router log. Unhide brute showed 2 hiden processes. I don't have that log but I tried to cd /proc/psid of the processes and I was not able to enter the directory. I just ran unhide and got:

Code: Select all
unhide brute
Unhide 20110113
http://www.unhide-forensics.info
[*]Starting scanning using brute force against PIDS with fork()

Found HIDDEN PID: 12319 "  ... maybe a transitory process"
[*]Starting scanning using brute force against PIDS with pthread functions.


I just ran it again a few seconds after this run:

Code: Select all
Unhide 20110113
http://www.unhide-forensics.info
[*]Starting scanning using brute force against PIDS with fork()

[*]Starting scanning using brute force against PIDS with pthread functions


The PID changes on most runs of unhide. Most times it shows one or two hidden processes. But I am never able to enter the /proc/pid directory of the proccesses.

I have been unable to find any reports of this particular gaskit or /dev/dev unknown rootkits. I am trying to find out if these are false positives or if I have a real problem. Thanks for any and all help.
Last edited by ultratron on Jun 25th, '12, 04:34, edited 2 times in total.
ultratron
 
Posts: 12
Joined: Feb 13th, '12, 00:00
Top

Re: help with rkhunter possible rootkits

Postby ultratron » Jun 23rd, '12, 14:34

/dev/dev shows a 0KB file named resume@ and is a link to /sda6 which is my first swap partition.
ultratron
 
Posts: 12
Joined: Feb 13th, '12, 00:00
Top

Re: help with rkhunter possible rootkits

Postby ultratron » Jun 23rd, '12, 14:36

crontab -e shows it to be empty
ultratron
 
Posts: 12
Joined: Feb 13th, '12, 00:00
Top

Re: help with rkhunter possible rootkits

Postby isadora » Jun 24th, '12, 08:58

Very welcome to the Mageia fourum ultratron!!!!

To keep the forum readable we very much advise using code-tags.
These can be inserted by use of the "Full Editor"-button.
..........bird from paradise..........

Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
—Antoine de Saint-Exupéry
User avatar
isadora
 
Posts: 2766
Joined: Mar 25th, '11, 16:03
Location: Netherlands
Top

Re: help with rkhunter possible rootkits

Postby ultratron » Jun 24th, '12, 10:29

I did a full clean install on my other Mageia box (not the one in this post) and I ran rkhunter right after finishing install:

Code: Select all
rkhunter -c --rwo
Warning: GasKit Rootkit [ Warning ]
Directory '/dev/dev' found
Warning: The following processes are using suspicious files:
Command: anacron
UID: 0 PID: 1360
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Command: crond
UID: 0 PID: 697
Pathname: /etc/crontab
Possible Rootkit: Unknown rootkit
Warning: Found passwordless account in shadow file: xguest


This was a net install with a other desktop selected with no additional software categories selected. This strongly leads me to believe that this is a false positive, at least on that box. I am trying to confirm this as I do not want to reinstall my other box if it does not need to be. I will follow up with another fresh install to try and corner this issue. But I still would like any help or suggetions anyone might have. Thank you very much.
ultratron
 
Posts: 12
Joined: Feb 13th, '12, 00:00
Top

Re: help with rkhunter possible rootkits

Postby doktor5000 » Jun 24th, '12, 17:12

Well, i'd say those are bogus messages, as it only says "using suspicious files". anacron and crond surely need to use crontab, otherwise they won't work.
If you really want to persecute this issue, best ask rkhunter developers about this.

For the passwordless account, this is by design. xguest is the package for the guest account in Mageia, and why shouldn't the guest account be passwordless?
xguest sets this up in a way that it only uses a restricted shell and every change related to user settings in that account will not be permanent and will be wiped away and reset to defaults if you logout.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 18056
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany
Top

Re: help with rkhunter possible rootkits

Postby ultratron » Jun 24th, '12, 17:24

Thank you for the explanation. It puts my mind to ease.
ultratron
 
Posts: 12
Joined: Feb 13th, '12, 00:00
Top
Post a reply

Return to Basic support

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group