Results 1 to 10 of 10

Thread: Chkrootkit warning

  1. #1
    Join Date
    Oct 2006
    Beans
    Hidden!

    Question Chkrootkit warning

    When I run chkrootkit in 12.04 I get a warning I have never seen before. It is located in /var/run/utmp.
    Checking `chkutmp'... The tty of the following user process(es) were not found
    in /var/run/utmp !
    ! RUID PID TTY CMD
    ! root 1198 tty7 /usr/bin/X :0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch -background none
    Is this a new type of security issue or a false positive?

  2. #2
    Join Date
    Aug 2009
    Location
    Under the stairs.
    Beans
    1,408
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Chkrootkit warning

    That is simply a false positive. That's all you will ever get a sgetting a rootkit is highly unlikely to happen.....relax/play...this is Linux.
    Dell Inspiron 1764 Laptop, Intel CoreTM i5 520M), 4GB Shared Dual Channel DDR3 at 1066MHz, 512MB ATI Mobility RadeonTM HD4330 Integrated Intel HD.

  3. #3
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Chkrootkit warning

    Don't be so cavalier about security.

    Rootkits can and do appear in Linux environments. It is particularly possible if you have been "socially engineered" into installing something malicious when using elevated privileges. An untrusted source or "something cool I found on the internet" can both make you vulnerable.

    Assuming that we are somehow "safe" from the dangers of the world by virtue of using Linux is foolhardy. We should be every bit as vigilant as Windows users. Linux invulnerability is a myth.

    Use chrootkit. If you get a hit, ask or google. If it's a false positive, better safe than sorry.

  4. #4
    Join Date
    Aug 2009
    Location
    Under the stairs.
    Beans
    1,408
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Chkrootkit warning

    Quote Originally Posted by QIII View Post
    Don't be so cavalier about security.

    Rootkits can and do appear in Linux environments. It is particularly possible if you have been "socially engineered" into installing something malicious when using elevated privileges. An untrusted source or "something cool I found on the internet" can both make you vulnerable.

    Assuming that we are somehow "safe" from the dangers of the world by virtue of using Linux is foolhardy. We should be every bit as vigilant as Windows users. Linux invulnerability is a myth.

    Use chrootkit. If you get a hit, ask or google. If it's a false positive, better safe than sorry.
    I wasn't being cavalier,I was speaking from experience. In 15yrs of working with Unix/Linux and working with people working on Linux, niether i or anyone else I know or work with has ever gotten a virus or rootkit. While I know it's not impossible, I merely stated it was very unlikely.
    Dell Inspiron 1764 Laptop, Intel CoreTM i5 520M), 4GB Shared Dual Channel DDR3 at 1066MHz, 512MB ATI Mobility RadeonTM HD4330 Integrated Intel HD.

  5. #5
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Chkrootkit warning

    Nobody you know does not mean nobody.

    It can and does happen. Hence, a tool to check for it.

    I've been at this for 35 years going back to Unix. I've learned a hard lesson or two.

  6. #6
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Chkrootkit warning

    Regardless of intent a lot of people on everything from fora to mailing lists think they should decide for others what is good and what is not. Instead, and in keeping with the Fish vs Fishing Rod thingie, it would be better to say that if this is a FP then it is often caused by processes, commonly associated with logging in, that haven't written to utmp yet.

    Those practicing forensics at whatever level know evidence gathering should be step one in case of suspicion and those even fleetingly familiar with security know it requires a multi-layered approach, meaning not just running a single post-incident auditing tool.

  7. #7
    Join Date
    Mar 2008
    Location
    Seattle, WA
    Beans
    23
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: Chkrootkit warning

    Hey all,

    I got these four replies with rkhunter and chkroot:

    /usr/bin/unhide.rb [ Warning ]
    Checking for passwd file changes [ Warning ]
    Checking for group file changes [ Warning ]
    Checking for hidden files and directories [ Warning ]

    Anyone know what I should do to deal with these? Does this mean I have a rootkit installed?

    Thanks

  8. #8
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Chkrootkit warning

    Quote Originally Posted by MattressVon View Post
    Hey all,

    I got these four replies with rkhunter and chkroot:

    /usr/bin/unhide.rb [ Warning ]
    Checking for passwd file changes [ Warning ]
    Checking for group file changes [ Warning ]
    Checking for hidden files and directories [ Warning ]

    Anyone know what I should do to deal with these? Does this mean I have a rootkit installed?

    Thanks
    If you're going to use rkhunter & chkroot, then you need to learn how to understand the warnings. Check the documentation as you will get lots of false positives. Google is probably your best bet- google the warnings you get and you'll find lots of information out there.

    As for a few of the warnings you listed, I found them in this thread which indicated they're nothing to worry about:

    http://ubuntuforums.org/showthread.php?t=1928115&page=2

  9. #9
    Join Date
    Mar 2012
    Beans
    142

    Re: Chkrootkit warning

    Hi, I'm sorry, that I'm writing in this topic, but I think my problem seems to be similar. Yesterday I launched chkrootkit to check some things. Everything seems to be fine, but I'm wonder on this:
    Code:
    Checking `chkutmp'...  The tty of the following user process(es) were not found in /var/run/utmp !
    ! RUID          PID TTY    CMD 
    ! kleenex        3816 pts/0  bash 
    ! kleenex        5146 pts/0  sudo chkrootkit 
    ! root         5147 pts/0  /bin/sh /usr/sbin/chkrootkit 
    ! root         5782 pts/0  ./chkutmp 
    ! root         5784 pts/0  ps axk tty,ruser,args -o tty,pid,ruser,args 
    ! root         5783 pts/0  sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
    Is it normal? There is so many informations about chkrootkit and e.g. chkutmp on the network and I'm so confused and amazed. Whether it is a record of what actions were taken by chkrootkit? (./chktump etc.) Or it is something else? In the utmp man page, we could read, that The utmp file allows one to discover information about who is currently using the system. etc. Okay. That's sounds nice. As we can see, in my case, there is only one (me; kleenex) and root users. Next entries like PID, CMD - for me - seems to be related with chkrootkit's Checking `chkutmp'... scan.

    Generally, Could anybody tell me what's going on?

  10. #10
    Join Date
    Feb 2010
    Location
    White Plume Mountain
    Beans
    8,233
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Chkrootkit warning

    Thread is almost a year old and inactive. Please start a new thread on your topic.

    Thread Closed.
    Thank you for your contributions. "So long and thanks for the fish!"

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •