rkhunter Help!!!!

Bonjour,
Hello,
I had this message with rkhunter:

<code>
Line:
-e [ Warning! ]
----------------------------------------------------------------

[07:41:14] WARNING, found /dev/.static (directory) /dev/.udev
(directory) /dev/.initramfs (directory) /etc/.java (directory)

----------------------------------------------------------------

If you're unsure about the result above, please contact the author of
Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/
Some errors has been found while chicking. Please perform a manual
check on this machine ********
</code>

What should I do (what am I suppose to check and how?)? it is a
mistake? Do have I a rootkit or any secority problem?

On 19 Feb 2007, in the Usenet newsgroup comp.os.linux.networking, in article
<1171882458.782897.245440@p10g2000cwp.googlegroups .com>, slourty wrote:

>I had this message with rkhunter:

Did you review what this "tool" is doing, or are you hoping that it is a
magic tool that may find mal-ware?

>[07:41:14] WARNING, found /dev/.static (directory) /dev/.udev
>(directory) /dev/.initramfs (directory) /etc/.java (directory)

OK - let's start with the obvious. What distribution is this? What
release? (try 'cat /etc/*release /etc/*version'). What is the system
used for - home workstation? Internet server? What version of rkunter?

Directories that begin with a dot (.) are somewhat suspicious, as they
won't show in a directory listing unless you include the '-a' or '-A'
option to 'ls'. Did you create these directories? Do they belong to
some application? Does your package manager tell you what package
they belong to? What is inside these directories?

>If you're unsure about the result above, please contact the author of
>Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/

Have you done that?

>Some errors has been found while chicking. Please perform a manual
>check on this machine ********

'rkhunter' and the some-what comparable 'chkrootkit' are windoze wannabe
"tools" that look for signs that were found in old root kits. For
example, they look for a file named "/tmp/.../a" or "/tmp/.../r" and if
they find that, they declare that you are infected with the 55808.A worm.
If you think this is good testing, think also that the rootkit author has
only to rename the file to "/tmp/.../b" to defeat this test.

Most (if not all) posts that I have seen of people reporting finding
problems with rkhunter and chkrootkit have been false alarms. Given the
ease in defeating many of the tests, only the poorest root kit should
be found. None the less, those directories are of concern and should
be investigated. However, much more details are needed for someone to
offer help/explanations to you.

>What should I do

Do those directories belong there? Are they innocent?

>(what am I suppose to check and how?)?

Depends on your distribution

>it is a mistake? Do have I a rootkit or any secority problem?

Possibly - but we don't have enough information to say.

Old guy

On 19 fév, 20:33, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On 19 Feb 2007, in the Usenet newsgroup comp.os.linux.networking, in article
>
> <1171882458.782897.245...@p10g2000cwp.googlegroups .com>,slourtywrote:
> >I had this message with rkhunter:
>
> Did you review what this "tool" is doing, or are you hoping that it is a
> magic tool that may find mal-ware?

It is a "magic tool that find mal-ware" but maybe you know a better
way...

>
> >[07:41:14] WARNING, found /dev/.static (directory) /dev/.udev
> >(directory) /dev/.initramfs (directory) /etc/.java (directory)
>
> OK - let's start with the obvious. What distribution is this?

I am on Ubuntu it is the home worstation 6.10, everything is up to
date, and I use it a little bit for apache server and ssh with I think
a big password (12 letters).

> What release? (try 'cat /etc/*release /etc/*version'). What is the system
> used for - home workstation?Internet server?

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=6.10
DISTRIB_CODENAME=edgy
DISTRIB_DESCRIPTION="Ubuntu 6.10"
testing/unstable

I use it like a server and a workstation but it is the workstation
version I use


> What version of rkunter?

Rootkit Hunter 1.2.8

>
> Directories that begin with a dot (.) are somewhat suspicious, as they
> won't show in a directory listing unless you include the '-a' or '-A'
> option to 'ls'. Did you create these directories?
> Do they belong to some application? Does your package manager tell you what package
> they belong to?

No, but just before to do an apt-get ask me to do write "apt-get
autoremove" because it said there is some files not used, this files
was "Eclipse's files".


> What is inside these directories?
kb@kb-desktop:~$ cd /dev/.
../ ../ .initramfs/ .static/ .udev/

kb@kb-desktop:~$ ls -a /dev/.static/
.. .. dev

kb@kb-desktop:~$ ls -a /dev/.static/dev/
.. i2c-5 mixer3 ram6 rfcomm26 scd16 sg8
tty
... i2c-6 mpu401data ram7 rfcomm27 scd2 sg9
tty0
agpgart i2c-7 mpu401stat ram8 rfcomm28 scd3 shm
tty1
apm_bios kmem null ram9 rfcomm29 scd4 smpte0
tty2
audio loop0 parport0 random rfcomm3 scd5 smpte1
tty3
audio1 loop1 parport1 raw1394 rfcomm30 scd6 smpte2
tty4
audio2 loop2 parport2 rfcomm0 rfcomm31 scd7 smpte3
tty5
audio3 loop3 port rfcomm1 rfcomm4 scd8 sndstat
tty6
audioctl loop4 ppp rfcomm10 rfcomm5 scd9 sr0
tty7
ccub0 loop5 ptmx rfcomm11 rfcomm6 sequencer sr1
tty8
ccub1 loop6 pts rfcomm12 rfcomm7 sg0 sr10
tty9
ccub2 loop7 ram rfcomm13 rfcomm8 sg1 sr11
ttyUB0
ccub3 MAKEDEV ram0 rfcomm14 rfcomm9 sg10 sr12
ttyUB1
console mem ram1 rfcomm15 rmidi0 sg11 sr13
ttyUB2
core midi0 ram10 rfcomm16 rmidi1 sg12 sr14
ttyUB3
dsp midi00 ram11 rfcomm17 rmidi2 sg13 sr15
urandom
dsp1 midi01 ram12 rfcomm18 rmidi3 sg14 sr16
vhci
dsp2 midi02 ram13 rfcomm19 scd0 sg15 sr2
xconsole
dsp3 midi03 ram14 rfcomm2 scd1 sg16 sr3
zero
full midi1 ram15 rfcomm20 scd10 sg2 sr4
i2c-0 midi2 ram16 rfcomm21 scd11 sg3 sr5
i2c-1 midi3 ram2 rfcomm22 scd12 sg4 sr6
i2c-2 mixer ram3 rfcomm23 scd13 sg5 sr7
i2c-3 mixer1 ram4 rfcomm24 scd14 sg6 sr8
i2c-4 mixer2 ram5 rfcomm25 scd15 sg7 sr9

kb@kb-desktop:~$ ls -a /dev/.udev/

.. .. db failed uevent_seqnum [uevent_seqnum is an empty file]

kb@kb-desktop:~$ ls -a /dev/.udev/db/
.. class@dvb@dvb0.frontend0 class@sound@pcmC1D1c
... class@dvb@dvb0.net0 class@sound@pcmC1D1p
block@hda class@input@input0@event0 class@sound@seq
block@hda@hda1 class@input@input1@event1 class@sound@timer
block@hda@hda2 class@input@input2@event2
class@usb_device@usbdev1.1
block@hda@hda5 class@input@input3@event3
class@usb_device@usbdev1.3
block@hdb class@input@input3@mouse0
class@usb_device@usbdev2.1
block@hdb@hdb1 class@input@input3@ts0
class@usb_device@usbdev3.1
block@hdb@hdb2 class@input@mice
class@usb_device@usbdev4.1
block@hdb@hdb5 class@sound@controlC0
class@video4linux@radio0
block@hdc class@sound@controlC1
class@video4linux@vbi0
block@hdd class@sound@pcmC0D0c
class@video4linux@video0
class@dvb@dvb0.demux0 class@sound@pcmC1D0c
class@dvb@dvb0.dvr0 class@sound@pcmC1D0p

kb@kb-desktop:~$ ls -a /dev/.udev/failed/
.. devices@pnp0@00:00
devices@pnp0@00:07
... devices@pnp0@00:02
devices@pnp0@00:09
devices@pci0000:00@0000:00:06.4 devices@pnp0@00:03
devices@pnp0@00:0a
devices@platform@i8042@serio1 devices@pnp0@00:06
kb@kb-desktop:~$ ls -a /etc/.java/
.. .. .systemPrefs
kb@kb-desktop:~$ ls -a /etc/.java/.systemPrefs/
.. .. .system.lock .systemRootModFile [Empty files]





>
> >If you're unsure about the result above, please contact the author of
> >Rootkit Hunter. Fill in contact form:http://www.rootkit.nl/contact/
>
> Have you done that?

not yet, if I can't find what is it now I will do that

>
> >Some errors has been found while chicking. Please perform a manual
> >check on this machine ********
>
> 'rkhunter' and the some-what comparable 'chkrootkit' are windoze wannabe
> "tools" that look for signs that were found in old root kits. For
> example, they look for a file named "/tmp/.../a" or "/tmp/.../r" and if
> they find that, they declare that you are infected with the 55808.A worm.
> If you think this is good testing, think also that the rootkit author has
> only to rename the file to "/tmp/.../b" to defeat this test.

Yes of course, so the only way to know if I am infected is to check
log file and if the connexion is not to slow

>
> Most (if not all) posts that I have seen of people reporting finding
> problems with rkhunter and chkrootkit have been false alarms. Given the
> ease in defeating many of the tests, only the poorest root kit should
> be found. None the less, those directories are of concern and should
> be investigated. However, much more details are needed for someone to
> offer help/explanations to you.
>
> >What should I do
>
> Do those directories belong there? Are they innocent?

I really don't know!

>
> >(what am I suppose to check and how?)?
>
> Depends on your distribution
>
> >it is a mistake? Do have I a rootkit or any secority problem?
>
> Possibly - but we don't have enough information to say.
>
> Old guy

Thank you for your help

Slourty

On 20 Feb 2007, in the Usenet newsgroup comp.os.linux.networking, in article
<1171962134.047280.127840@t69g2000cwt.googlegroups .com>, slourty wrote:

>ibupro...@painkiller.example.tld (Moe Trin) wrote:

>It is a "magic tool that find mal-ware" but maybe you know a better
>way...

Actually, it isn't. It's a tool to see if some signs of old exploits
are present. I would not depend on it.

>I am on Ubuntu it is the home worstation 6.10, everything is up to
>date, and I use it a little bit for apache server and ssh with I think
>a big password (12 letters).

OK I'm not using Ubuntu, so I'm not an expert in it. Have you looked
the Changelog file for Debian specific information? Also, you may
want to look at the alt.os.linux.ubuntu newsgroup (I'm not sure if
google.groups is carrying it) and the Ubuntu mailing lists. See their
web site for details.

>> What version of rkunter?
>Rootkit Hunter 1.2.8

That release (as well as 1.2.9 that replaced it nearly five months ago
doesn't have keys for Ubuntu, so that really does raise the number of
false alarms possible. Looking at the changelog, the 1.2.8 version is
dated 24/02/2006, which is eight months before your distribution was
released.

>>
>No, but just before to do an apt-get ask me to do write "apt-get
>autoremove" because it said there is some files not used, this files
>was "Eclipse's files".

I'm assuming you are replying to my question "Did you create these
directories? Do they belong to some application? Does your package
manager tell you what package they belong to?" I'm not familiar with
Eclipse but this is starting to sound like more of a false alarm.

>> What is inside these directories?

>kb@kb-desktop:~$ cd /dev/.
>./ ../ .initramfs/ .static/ .udev/

I'd home that a Ubuntu expert can confirm this, but to me, this looks
acceptable.

>kb@kb-desktop:~$ ls -a /etc/.java/
>. .. .systemPrefs
>kb@kb-desktop:~$ ls -a /etc/.java/.systemPrefs/
>. .. .system.lock .systemRootModFile [Empty files]

Does apt tell you that this is OK?

>>
>not yet, if I can't find what is it now I will do that

I'm guessing you are responding to my question of 'did you contact the
rkhunter author'.

>>
>Yes of course, so the only way to know if I am infected is to check
>log file and if the connexion is not to slow

I don't know what you are answering here. Log files can only be trusted
if you know that no one has been able to alter them. "Nothing in the logs"
could mean "no problem" as well as "some one has been here, and erased the
details from the logs".

>>
>I really don't know

I don't know what you are responding to here.

Old guy

slourty wrote:

> ----------------------------------------------------------------
>
> [07:41:14] WARNING, found /dev/.static (directory) /dev/.udev
> (directory) /dev/.initramfs (directory) /etc/.java (directory)
>
Debian Sid also have those directories... don't worry