Results 1 to 5 of 5

Thread: suspicious files detected -- need help. :S

  1. #1
    Join Date
    Oct 2009
    Beans
    34

    suspicious files detected -- need help. :S

    Greetings all, recently LastPass was hacked. I only found out yesterday which kind of pulled me into a password changing frenzy. I also checked for key-loggers with chkrootkit and rkhunter (am I using the right tools?) -- I did get this feedback from chkrootkit:
    The following suspicious files and directories were found:
    /usr/lib/firefox-3.6.18/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.18/.autoreg
    Could someone help me out with this? I have no idea what I am looking at. I'll be doing some of my own research after supper.

    UPDATE 1
    Done supper googling now.
    UPDATE 2
    No information about this on google. I'm wondering if it is suspicious at all...
    Last edited by TuLesto; July 19th, 2011 at 02:13 AM.

  2. #2
    Join Date
    May 2010
    Beans
    626
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: suspicious files detected -- need help. :S

    Surprised that I am the first, but rkhunter and chkrootkit are known for giving false positives. If it isn't documented on google as being part of an exploit, I wouldn't worry too much about it. If you really want to, check the type of file with the file command:

    Code:
    file  /usr/lib/firefox-3.6.18/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo  /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.18/.autoreg
    Unless it is an executable file of some sort (like an ELF) or a script (check the permissions with `ls -l /usr/lib/firefox-3.6.18/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.18/.autoreg` minus the quotes), I probably wouldn't worry about it.



    Cipherboy

  3. #3
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: suspicious files detected -- need help. :S

    I agree with the poster above me IMO it is a false positive.

  4. #4
    Join Date
    Oct 2009
    Beans
    34

    Re: suspicious files detected -- need help. :S

    Quote Originally Posted by cipherboy_loc View Post
    Surprised that I am the first, but rkhunter and chkrootkit are known for giving false positives. If it isn't documented on google as being part of an exploit, I wouldn't worry too much about it. If you really want to, check the type of file with the file command:

    Code:
    file  /usr/lib/firefox-3.6.18/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo  /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.18/.autoreg
    Unless it is an executable file of some sort (like an ELF) or a script (check the permissions with `ls -l /usr/lib/firefox-3.6.18/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.18/.autoreg` minus the quotes), I probably wouldn't worry about it.



    Cipherboy

    Wow, thanks! I'm glad somebody replied at all. It didn't seem like this thread was getting much attention. I appreciate your help very much and am glad that someone can back it up. Thanks again.

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: suspicious files detected -- need help. :S

    Root kits and the tools to detect them are sophisticated and only you can determine what is "normal" for your system.

    You need to know what these tools show you in a Known good installation.

    You need to know what packages you have installed. For example I do not have those files on my system at all, nor would I expect them based on the packages I have installed.

    See https://wiki.ubuntu.com/rkhunter and when you find warnings, use google to confirm or deny that they are a problem or a false alarm.

    If you are not going to do the foot work, do not bother to run the tools.

    All security tools, from snort to rkhunter, have rule sets to bring files or behavior to your attention for investigation.

    For example, if you use a packet sniffer, you can capture all your network packets. How then would you know which ones are a problem ? Enter snort, snort filters through the thousands of packets and "alerts" you to those you should investigate.

    root kit detection is the same, only it applies to the files on your hard drive rather then network packets.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •