Problemas com rootkits

Iniciado por eduardory, 25 de Agosto de 2010, 15:59

tópico anterior - próximo tópico

eduardory

Eu instalei o rkhunter no meu ubuntu 10.4 e fiz uma verificação e apareceu isso:
Warning: Suspicious file types found in /dev:
         /dev/shm/pulse-shm-936414828: COM executable for DOS
         /dev/shm/pulse-shm-225158475: data
         /dev/shm/pulse-shm-3855249895: data
         /dev/shm/pulse-shm-2400955990: data
         /dev/shm/pulse-shm-1879171192: data
Warning: Hidden directory found: /etc/.java
Warning: Hidden directory found: /dev/.udev
Warning: Hidden directory found: /dev/.initramfs

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
Então tentei abrir o log so que apareceu que eu nao tinha a permissão necessária para abrir aquele arquivo. Devo me preocupar? Como posso remover o possivel rootkit?

JoseMelo

CitarDevo me preocupar?
Não.

CitarComo posso remover o possivel rootkit?
Não é rootkit.

Veja mais: http://ubuntuforums.org/showthread.php?p=4908163

eduardory

 ;D já estava ficando preocupado, ainda sou um iniciante no ubuntu.

AAPPRR

#3
Tem vários topicos sobre root aqui no forum não sei qual é o mais apropriado

estou um pouco preocupado nessa linha [14:14:57] /usr/bin/sudo                                     [ Warning ]

[14:14:57] /usr/bin/sudo                                     [ Warning ]
[14:14:57] Warning: The file properties have changed:
[14:14:57]          File: /usr/bin/sudo
[14:14:57]          Current hash: 28282f23881b53b83b8accc9cc050ff033db973e
[14:14:57]          Stored hash : e14fc0a01a7f3ada1530a55cbcc34b9b4d041f7d
[14:14:57]          Current inode: 1048986    Stored inode: 1049719
[14:14:57]          Current file modification time: 1283287154 (31-Ago-2010 17:39:14)
[14:14:57]          Stored file modification time : 1276893615 (18-Jun-2010 17:40:15)


[14:14:35] Running Rootkit Hunter version 1.3.6 on c3p0-desktop
[14:14:35]
[14:14:35] Info: Start date is Sáb Set 18 14:14:35 BRT 2010
[14:14:35]
[14:14:35] Checking configuration file and command-line options...
[14:14:35] Info: Detected operating system is 'Linux'
[14:14:35] Info: Found O/S name: Ubuntu 10.04.1 LTS
[14:14:35] Info: Command line is /usr/bin/rkhunter --check
[14:14:35] Info: Environment shell is /bin/bash; rkhunter is using dash
[14:14:35] Info: Using configuration file '/etc/rkhunter.conf'
[14:14:35] Info: Installation directory is '/usr'
[14:14:35] Info: Using language 'en'
[14:14:36] Info: Using '/var/lib/rkhunter/db' as the database directory
[14:14:36] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[14:14:36] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/X11R6/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[14:14:36] Info: Using '/' as the root directory by default
[14:14:36] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[14:14:36] Info: No mail-on-warning address configured
[14:14:36] Info: X will be automatically detected
[14:14:36] Info: Using second color set
[14:14:36] Info: Found the 'basename' command: /usr/bin/basename
[14:14:36] Info: Found the 'diff' command: /usr/bin/diff
[14:14:36] Info: Found the 'dirname' command: /usr/bin/dirname
[14:14:36] Info: Found the 'file' command: /usr/bin/file
[14:14:36] Info: Found the 'find' command: /usr/bin/find
[14:14:36] Info: Found the 'ifconfig' command: /sbin/ifconfig
[14:14:36] Info: Found the 'ip' command: /sbin/ip
[14:14:36] Info: Found the 'ldd' command: /usr/bin/ldd
[14:14:36] Info: Found the 'lsattr' command: /usr/bin/lsattr
[14:14:36] Info: Found the 'lsmod' command: /sbin/lsmod
[14:14:36] Info: Found the 'lsof' command: /usr/bin/lsof
[14:14:36] Info: Found the 'mktemp' command: /bin/mktemp
[14:14:36] Info: Found the 'netstat' command: /bin/netstat
[14:14:36] Info: Found the 'perl' command: /usr/bin/perl
[14:14:36] Info: Found the 'pgrep' command: /usr/bin/pgrep
[14:14:36] Info: Found the 'ps' command: /bin/ps
[14:14:36] Info: Found the 'pwd' command: /bin/pwd
[14:14:36] Info: Found the 'readlink' command: /bin/readlink
[14:14:36] Info: Found the 'sort' command: /usr/bin/sort
[14:14:36] Info: Found the 'stat' command: /usr/bin/stat
[14:14:36] Info: Found the 'strings' command: /usr/bin/strings
[14:14:36] Info: Found the 'uniq' command: /usr/bin/uniq
[14:14:36] Info: System is not using prelinking
[14:14:36] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[14:14:36] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[14:14:36] Info: Stored hash values did not use a package manager
[14:14:36] Info: The hash function field index is set to 1
[14:14:36] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[14:14:36] Info: Previous file attributes were stored
[14:14:37] Info: Enabled tests are: all
[14:14:37] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps apps
[14:14:37] Info: Found ksym file '/proc/kallsyms'
[14:14:37] Info: Using 'date' to process epoch second times.
[14:14:37]
[14:14:37] Checking if the O/S has changed since last time...
[14:14:37] Info: Nothing seems to have changed
[14:14:37] Info: Locking is not being used
[14:14:37]
[14:14:37] Starting system checks...

AAPPRR

Citação de: AAPPRR online 18 de Setembro de 2010, 14:45
Tem vários topicos sobre root aqui no forum não sei qual é o mais apropriado

estou um pouco preocupado nessa linha [14:14:57] /usr/bin/sudo                                     [ Warning ]

[14:14:57] /usr/bin/sudo                                     [ Warning ]
[14:14:57] Warning: The file properties have changed:
[14:14:57]          File: /usr/bin/sudo
[14:14:57]          Current hash: 28282f23881b53b83b8accc9cc050ff033db973e
[14:14:57]          Stored hash : e14fc0a01a7f3ada1530a55cbcc34b9b4d041f7d
[14:14:57]          Current inode: 1048986    Stored inode: 1049719
[14:14:57]          Current file modification time: 1283287154 (31-Ago-2010 17:39:14)
[14:14:57]          Stored file modification time : 1276893615 (18-Jun-2010 17:40:15)


[14:14:35] Running Rootkit Hunter version 1.3.6 on c3p0-desktop
[14:14:35]
[14:14:35] Info: Start date is Sáb Set 18 14:14:35 BRT 2010
[14:14:35]
[14:14:35] Checking configuration file and command-line options...
[14:14:35] Info: Detected operating system is 'Linux'
[14:14:35] Info: Found O/S name: Ubuntu 10.04.1 LTS
[14:14:35] Info: Command line is /usr/bin/rkhunter --check
[14:14:35] Info: Environment shell is /bin/bash; rkhunter is using dash
[14:14:35] Info: Using configuration file '/etc/rkhunter.conf'
[14:14:35] Info: Installation directory is '/usr'
[14:14:35] Info: Using language 'en'
[14:14:36] Info: Using '/var/lib/rkhunter/db' as the database directory
[14:14:36] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[14:14:36] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin /usr/X11R6/bin /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/libexec /usr/local/libexec' as the command directories
[14:14:36] Info: Using '/' as the root directory by default
[14:14:36] Info: Using '/var/lib/rkhunter/tmp' as the temporary directory
[14:14:36] Info: No mail-on-warning address configured
[14:14:36] Info: X will be automatically detected
[14:14:36] Info: Using second color set
[14:14:36] Info: Found the 'basename' command: /usr/bin/basename
[14:14:36] Info: Found the 'diff' command: /usr/bin/diff
[14:14:36] Info: Found the 'dirname' command: /usr/bin/dirname
[14:14:36] Info: Found the 'file' command: /usr/bin/file
[14:14:36] Info: Found the 'find' command: /usr/bin/find
[14:14:36] Info: Found the 'ifconfig' command: /sbin/ifconfig
[14:14:36] Info: Found the 'ip' command: /sbin/ip
[14:14:36] Info: Found the 'ldd' command: /usr/bin/ldd
[14:14:36] Info: Found the 'lsattr' command: /usr/bin/lsattr
[14:14:36] Info: Found the 'lsmod' command: /sbin/lsmod
[14:14:36] Info: Found the 'lsof' command: /usr/bin/lsof
[14:14:36] Info: Found the 'mktemp' command: /bin/mktemp
[14:14:36] Info: Found the 'netstat' command: /bin/netstat
[14:14:36] Info: Found the 'perl' command: /usr/bin/perl
[14:14:36] Info: Found the 'pgrep' command: /usr/bin/pgrep
[14:14:36] Info: Found the 'ps' command: /bin/ps
[14:14:36] Info: Found the 'pwd' command: /bin/pwd
[14:14:36] Info: Found the 'readlink' command: /bin/readlink
[14:14:36] Info: Found the 'sort' command: /usr/bin/sort
[14:14:36] Info: Found the 'stat' command: /usr/bin/stat
[14:14:36] Info: Found the 'strings' command: /usr/bin/strings
[14:14:36] Info: Found the 'uniq' command: /usr/bin/uniq
[14:14:36] Info: System is not using prelinking
[14:14:36] Info: Using the '/usr/bin/sha1sum' command for the file hash checks
[14:14:36] Info: Stored hash values used hash function '/usr/bin/sha1sum'
[14:14:36] Info: Stored hash values did not use a package manager
[14:14:36] Info: The hash function field index is set to 1
[14:14:36] Info: No package manager specified: using hash function '/usr/bin/sha1sum'
[14:14:36] Info: Previous file attributes were stored
[14:14:37] Info: Enabled tests are: all
[14:14:37] Info: Disabled tests are: suspscan hidden_procs deleted_files packet_cap_apps apps
[14:14:37] Info: Found ksym file '/proc/kallsyms'
[14:14:37] Info: Using 'date' to process epoch second times.
[14:14:37]
[14:14:37] Checking if the O/S has changed since last time...
[14:14:37] Info: Nothing seems to have changed
[14:14:37] Info: Locking is not being used
[14:14:37]
[14:14:37] Starting system checks...

[14:17:10] System checks summary
[14:17:10] =====================
[14:17:10]
[14:17:10] File properties checks...
[14:17:10] Files checked: 132
[14:17:10] Suspect files: 1
[14:17:10]
[14:17:10] Rootkit checks...
[14:17:10] Rootkits checked : 242
[14:17:10] Possible rootkits: 0
[14:17:10]
[14:17:10] Applications checks...
[14:17:10] All checks skipped
[14:17:10]
[14:17:10] The system checks took: 2 minutes and 33 seconds
[14:17:10]
[14:17:10] Info: End date is Sáb Set 18 14:17:10 BRT 2010