sslug-teknik team mailing list archive

Thread
Date

chkrootkit: suspicious files

To: sslug-teknik@xxxxxxxx
From: Jørgen Heesche <heesche@xxxxxxxxxxx>
Date: Wed, 30 Jun 2004 09:21:37 +0000
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
Newsgroups: sslug.teknik
Organization: SSLUG
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20030925

Check for rootkits med scriptet chkrootkit viser 'not infected' eller'nothing found' hele vejen igennem, bortset fra flg.

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Video/ivtv/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Video/Frequencies/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Config/IniFiles/.packlist
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Tk/.packlist

Det drejer sig om filer vedr. perlmodulerne
 Video::ivtv, Video::Frequencies og Config::IniFiles

Hvordan kan disse filer være suspekte?
F.eks. filen */Frequencies/.packlist har dette indhold:
/usr/lib/perl5/site_perl/5.8.0/Video/Frequencies.pm
/usr/share/man/man3pm/Video::Frequencies.3pm
Hvorfor skulle det være mistænkeligt?

Med venlig hilsen
Jørgen Heesche

Follow ups

Re: chkrootkit: suspicious files
From: Peter Makholm, 2004-06-30