Preocupação com rootkits

Iniciado por simon, 10 de Agosto de 2008, 19:45

tópico anterior - próximo tópico

simon

Eu sou muito preocupado com a segurança do meu computador e, por isso, sempre uso o clamscan o chkrootkit e o rkhunter. Nunca encontro nenhuma ameaça, mas da última vez que usei o rkhunter apareceram algumas mensagens que me deixaram preocupado.

[18:40:07] /bin/ip                                           [ Warning ]
[18:40:07] Warning: The file properties have changed:
[18:40:07]          File: /bin/ip
[18:40:07]          Current inode: 4136961    Stored inode: 1237039
[18:40:07]          Current file modification time: 1215621293
[18:40:07]          Stored file modification time : 1207985280
[18:40:07] /bin/kill                                         [ Warning ]
[18:40:07] Warning: The file properties have changed:
[18:40:07]          File: /bin/kill
[18:40:07]          Current hash: 84e9b211a9a8b630da0421714d393fbc849922ea
[18:40:07]          Stored hash : e0baf2e8f195d5f58ba1d6253d152c5da35fea92
[18:40:07]          Current inode: 1237039    Stored inode: 1237041
[18:40:07]          Current file modification time: 1215682145
[18:40:07]          Stored file modification time : 1205449373
[18:40:08] /bin/ps                                           [ Warning ]
[18:40:08] Warning: The file properties have changed:
[18:40:08]          File: /bin/ps
[18:40:08]          Current hash: e2a3f61272faa77bcf5560e2d16333f4a960d676
[18:40:08]          Stored hash : 585c1ea7e99a8c0bc5a0701c307b8f6bb7593200
[18:40:08]          Current inode: 1237055    Stored inode: 1237077
[18:40:08]          Current file modification time: 1215682145
[18:40:08]          Stored file modification time : 1205449373
[18:40:09] /bin/which                                        [ Warning ]
[18:40:09] Warning: The command '/bin/which' has been replaced by a script: /bin/which: POSIX shell script text executable
[18:40:10] /usr/bin/awk                                      [ Warning ]
[18:40:10] Warning: The file properties have changed:
[18:40:10]          File: /usr/bin/awk
[18:40:10]          Current hash: 22d642d0b17926f529007e87ceb285526d49e40a
[18:40:10]          Stored hash : f9807021dcaf8bde78ec91a2d5fe32f806572eb9
[18:40:12] /usr/bin/groups                                   [ Warning ]
[18:40:12] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: POSIX shell script text executable
[18:40:12] /usr/bin/ldd                                      [ Warning ]
[18:40:12] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script text executable
[18:40:15] /usr/bin/top                                      [ Warning ]
[18:40:15] Warning: The file properties have changed:
[18:40:15]          File: /usr/bin/top
[18:40:16]          Current hash: b4cf2a58383c07c23bb012a63b2608b82b3d6c40
[18:40:16]          Stored hash : 38c45e2dc5972a8177f364bbb81c6e246817a934
[18:40:16]          Current inode: 3303578    Stored inode: 3302409
[18:40:16]          Current file modification time: 1215682145
[18:40:16]          Stored file modification time : 1205449373
[18:40:16] /usr/bin/vmstat                                   [ Warning ]
[18:40:16] Warning: The file properties have changed:
[18:40:16]          File: /usr/bin/vmstat
[18:40:16]          Current hash: ac7946f2f2021ca52aae91db9844de1c3651e0e4
[18:40:16]          Stored hash : b0ddafbaa624a5a9cce0667ada94a4f084e94a9e
[18:40:16]          Current inode: 3304103    Stored inode: 3302484
[18:40:16]          Current file modification time: 1215682145
[18:40:16]          Stored file modification time : 1205449373
[18:40:16] /usr/bin/w                                        [ Warning ]
[18:40:16] Warning: The file properties have changed:
[18:40:16]          File: /usr/bin/w
[18:40:17]          Current hash: cacc1a2b6f692350301516a0e380e18ffa901cd9
[18:40:17]          Stored hash : 17aad0b16c5cc7f079784ce8b0436654325de29d
[18:40:17] /usr/bin/watch                                    [ Warning ]
[18:40:17] Warning: The file properties have changed:
[18:40:17]          File: /usr/bin/watch
[18:40:17]          Current hash: 78dfee98aa89089b102a100665c1352b15bedfbf
[18:40:17]          Stored hash : 0c484585d78e62e691adf4d32f55dd877e2f5c7c
[18:40:17]          Current inode: 3304104    Stored inode: 3302493
[18:40:17]          Current file modification time: 1215682145
[18:40:17]          Stored file modification time : 1205449373
[18:40:18] /usr/bin/gawk                                     [ Warning ]
[18:40:18] Warning: The file '/usr/bin/gawk' exists on the system, but it is not present in the rkhunter.dat file.
[18:40:18] /usr/bin/lwp-request                              [ Warning ]
[18:40:18] Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: perl script text executable
[18:40:18] /usr/bin/w.procps                                 [ Warning ]
[18:40:18] Warning: The file properties have changed:
[18:40:18]          File: /usr/bin/w.procps
[18:40:18]          Current hash: cacc1a2b6f692350301516a0e380e18ffa901cd9
[18:40:18]          Stored hash : 17aad0b16c5cc7f079784ce8b0436654325de29d
[18:40:18]          Current inode: 3304153    Stored inode: 3302489
[18:40:18]          Current file modification time: 1215682145
[18:40:18]          Stored file modification time : 1205449373
[18:40:19] /sbin/ip                                          [ Warning ]
[18:40:19] Warning: The file properties have changed:
[18:40:19]          File: /sbin/ip
[18:40:19]          Current inode: 1818719    Stored inode: 1818681
[18:40:19]          Current file modification time: 1217711634
[18:40:19]          Stored file modification time : 1212864242
[18:40:20] /sbin/sysctl                                      [ Warning ]
[18:40:20] Warning: The file properties have changed:
[18:40:20]          File: /sbin/sysctl
[18:40:20]          Current hash: 9ff13a7b24c9ef73cc8bf3577c97b77a40d3c1d2
[18:40:21]          Stored hash : a490b16d64f78bf8108e50a6b46d0e43d500d6ad
[18:40:21]          Current inode: 1818681    Stored inode: 1818774
[18:40:21]          Current file modification time: 1215682145
[18:40:21]          Stored file modification time : 1205449373
[18:40:21] /usr/sbin/adduser                                 [ Warning ]
[18:40:21] Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: perl script text executable

Iniciei o live cd e verifiquei que os arquivos que foram substituídos por scripts também eram scripts no sistema de arquivos do live cd. Mas não sei o significado das mensagens a respeito dos arquivos que tiveram suas propriedades alteradas. Gostaria que alguém me ajudasse a avaliar a segurança do computador em relação aos arquivos que tiveram as propriedades alteradas ou me exlicasse o que essas mensagens querem dizer para que eu mesmo verificasse o que está acontecendo.