No chkrootkit.log file, cannot open rkhunter.log

[david434]

I just installed 15.04 amd-64. __________________________________________________ _This is what chkrootkit -q showed: root@Computer99:~# chkrootkit -q /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /lib/modules/3.19.0-15-generic/vdso/.build-id /lib/modules/3.19.0-26-generic/vdso/.build-id /lib/modules/3.19.0-15-generic/vdso/.build-id /lib/modules/3.19.0-26-generic/vdso/.build-id eth0: PACKET SNIFFER(/sbin/dhclient (deleted)[835]) user milo deleted or never logged from lastlog! The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 859 tty7 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch __________________________________________________ _____________________________________________ 1) There is no chkrootkit log file ______________________________________2) I cannot open the rkhunter.log file _______________________________________ 3) Unhide -v chksysinfo gives: root@Computer99:~# unhide -v checksysinfo Unhide 20121229 Copyright © 2012 Yago Jesus & Patrick Gouin License GPLv3+*: GNU GPL version 3 or later http://www.unhide-forensics.info NOTE : This version of unhide is for systems using Linux >= 2.6 Used options: verbose [*]Searching for Hidden processes through sysinfo() scanning WARNING : info.procs changed during test : 447 (was 445) WARNING : info.procs changed during test : 445 (was 447) 1 HIDDEN Processes Found sysinfo.procs reports 445 processes and ps sees 446 processes root@Computer99:~# __________________________________________________ _______________Questions: 1) am I owned? 2) how do I find the hidden process? I am in Thailand, and last year I saw that updating Ubuntu from here made DNS poisoning begin. So today I used a VPN into Europe to download the iso, verified the SHA256 and MD5, and had better luck that before getting rkhunter, clamav, and chkrootkit to work. But still, I have one bad guy inside my machine, I bet. Lastly) is there a better product for scanning for rootkits on my OS? Thank you!

[david434]

How can I open my locked RKhunter file? .................................................. ......................At least it is there.

[david434]

Results of unhide:

Code:

Searching for Hidden processes through sysinfo() scanning
WARNING : info.procs changed during test : 447 (was 445)
        WARNING : info.procs changed during test : 445 (was 447)
    1 HIDDEN Processes Found    sysinfo.procs reports 445 processes and ps sees 446 processes

How can I find and eliminate this hidden process?.......................................... .................................................. .................................................. .................

[david434]

/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit
/lib/modules/3.19.0-15-generic/vdso/.build-id /lib/modules/3.19.0-26-generic/vdso/.build-id
/lib/modules/3.19.0-15-generic/vdso/.build-id /lib/modules/3.19.0-26-generic/vdso/.build-id

[patlkli]

They are most probably false-positives.

Chkrootkit reports all hidden files (filenames starting with a dot) in /usr/lib, /usr/man and /lib.
There usually aren't that many hidden files in those directories, but there are some.

The first is shipped in python-qt4.
The others are part of the kernel image packages.

Also, if you look, the first file is even empty, so I'm pretty sure, there's nothing dangerous there.

[patlkli]

Did you try running unhide again? Are the results reproducable?

Again, considering one of your other threads, I can tell you that it's not trivial to infiltrate an Ubuntu system, especially if you've hash-checked your installation image.

First thing, stop working in a root shell all the time.
It's a good thing to use sudo most of the time, because it's a constant reminder, that you're doing things with system-wide permissions.
When you're working in a root shell, it's IMHO much easier to forget that you're root and run commands which shouldn't be run as root.

The APT update process is pretty secure, since the package lists and the packages itself are GPG signed.
So even if someone interfered in your connection to the update servers (maybe using a MITM attack), your system would detect a mismatch in the signatures of the compromised packages.

It's good that you're wary of potential security threats, but the things you've reported in your various threads over the last hours present no real danger to the integrity of your system.

Also see my answer(s) on your other threads for explanations of the results you've encountered.

[slickymaster]

Threads merged.

Please do not create multiple threads, it dilutes the community’s efforts to provide support and causes confusion.

[Habitual]

I typically use directives like these in /etc/rkhunter.conf (and a Good Read, so PLEASE DO)

Code:

 ALLOWDEVFILE=/dev/.udev/rules.d/root.rules
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/etc/.udev
ALLOWHIDDENFILE=/dev/.initramfs
SCRIPTWHITELIST=/usr/sbin/adduser
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/lwp-request
SCRIPTWHITELIST=/bin/which
APP_WHITELIST="openssl:1.0.1f gpg:1.4.11 sshd:5.9p1"

You can test the config

Code:

rkhunter --config-check

You can write a log anywhere using

Code:

rkhunter -c -sk -l /path/to/file.log

chrootkit? meh, don't use it. Not updated enough. </opinion>
chkrootkit 0.49 is now available! (Release Date: Thu Jul 30 2009)
chkrootkit 0.50 is now available! (Release Date: Wed Jun 4 2014)

unhide warnings from rkhunter are a non-issue. Happens on brand spanking new systems with rkhunter's default.conf
Once you are certain as can be your system (I wouldn't include chkrootkit results in this decision) is ok as it is, run

Code:

rkhunter --propupd

then re-run

Code:

rkhunter -c -sk -l /path/to/file.log

check the output for "Warning:" messages.

Let us know.

[david434]

Thanks for your reply. I don't often work in a root shell, but I did here.

Yes, the results are reproducible.

[david434]

I appreciate your help here. I'll run those commands.