MyTinFoilHat
January 16th, 2013, 03:52 AM
Hello and thanks for the stickies - as well as your patience and time. I have a lot to learn about Ubuntu Security, so I've been doing a lot of reading lately.
I'm posting for both chkrootkit and rkhunter here because results from both also have references to java and I have a general security question that covers both, in addition to a request for info/help.
I've just run chkrootkit and rkhunter. I got a couple odd results (read warnings and suspicious) in both results and have prowled the threads for answers. I'm still left with questions...
PART 1: RKHUNTER
(I ran a full check earlier). Ran this for the post:
sudo rkhunter -c --rwo --summary
yielded the following results:
Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: '/etc/.java'
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
System checks summary
=====================
File properties checks...
Files checked: 135
Suspect files: 1
Rootkit checks...
Rootkits checked : 292
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 53 seconds
All results have been written to the log file (/var/log/rkhunter.log)
I've seen several thread responses to the Ruby Script, pointing OP to using --propupd; that this is likely the result of distro changes.
QUESTION: How can the user (or in my case, me, as a novice) know that this is genuine and reliable? What steps can I take to verify this before I --propupd?
QUESTION: Should the hidden directories and file be any cause for alarm?
PART 2: CHKROOTKIT (TL;DR version)
A lot "nothing found", "not infected" and "no suspect files", etc. results, but I have no idea what to do with this information:
The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path
Any info will be useful. Thank you to all who read and respond.
I'm posting for both chkrootkit and rkhunter here because results from both also have references to java and I have a general security question that covers both, in addition to a request for info/help.
I've just run chkrootkit and rkhunter. I got a couple odd results (read warnings and suspicious) in both results and have prowled the threads for answers. I'm still left with questions...
PART 1: RKHUNTER
(I ran a full check earlier). Ran this for the post:
sudo rkhunter -c --rwo --summary
yielded the following results:
Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
Warning: Suspicious file types found in /dev:
/dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: '/etc/.java'
Warning: Hidden directory found: '/dev/.udev'
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
System checks summary
=====================
File properties checks...
Files checked: 135
Suspect files: 1
Rootkit checks...
Rootkits checked : 292
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 53 seconds
All results have been written to the log file (/var/log/rkhunter.log)
I've seen several thread responses to the Ruby Script, pointing OP to using --propupd; that this is likely the result of distro changes.
QUESTION: How can the user (or in my case, me, as a novice) know that this is genuine and reliable? What steps can I take to verify this before I --propupd?
QUESTION: Should the hidden directories and file be any cause for alarm?
PART 2: CHKROOTKIT (TL;DR version)
A lot "nothing found", "not infected" and "no suspect files", etc. results, but I have no idea what to do with this information:
The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.7.0-openjdk-amd64.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.7/.path
Any info will be useful. Thank you to all who read and respond.