[email protected]
[Top] [All Lists]

Bug#479187: marked as forwarded (chkrootkit report all files as suspici

Subject: Bug#479187: marked as forwarded chkrootkit report all files as suspicious, without whitespace
From: Debian Bug Tracking System
Date: Sun, 04 May 2008 09:15:06 +0000
Your message dated Sun, 4 May 2008 21:11:19 +1200
with message-id <[email protected]>
has caused the   report #479187,
regarding chkrootkit report all files as suspicious, without whitespace
to be marked as having been forwarded to the upstream software
author(s) [email protected]

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
479187: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479187
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: Fwd: chkrootkit report all files as suspicious, without whitespace
From: Francois Marier
Date: Sun, 4 May 2008 21:11:19 +1200
Hi Nelson,

Juergen reported the following problem with the latest version of
chkrootkit.

Is there anything that could be done to help track the problem down?

Cheers,
Francois

----- Forwarded message from Juergen Kosel <[email protected]> -----

Package: chkrootkit
Version: 0.48-2
Severity: important

Hello,

after upgrading chkrootkit to 0.48-2 it generates now the following output:

The following suspicious files and directories were found:
/usr/lib/jvm/.java-gcj.jinfo /usr/lib/icedove/.autoreg
/usr/lib/iceweasel/.autoreg /usr/lib/xulrunner/.autoreg
/usr/lib/electric/.cadrc /lib/init/rw/.ramfs


//bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/bin/ln/bin/loadkeys/bin/login/bin/ls/bin/lsmod/bin/lsmod.modutils/bin/lspci/bin/mkdir/bin/mknod/bin/mktemp/bin/modeline2fb/bin/more/bin/mount/bin/mountpoint/bin/mt/bin/mt-gnu/bin/mv/bin/nc/bin/netcat/bin/netstat/bin/pdksh/bin/pidof/bin/ping/bin/ping6/bin/ps/bin/pwd/bin/rbash/bin/readlink/bin/rm/bin/rmdir/bin/run-parts/bin/rzsh/bin/sed/bin/setpci/bin/setserial/bin/sh/bin/sleep/bin/stty/bin/su/bin/sync/bin/tar/bin/tcsh/bin/tempfile/bin/touch/bin/true/bin/umount/bin/uname/bin/uncompress/bi
n/vdir/bin/which/bin/zcat/bin/zcmp/bin/zdiff/bin/zegrep/bin/zfgrep/bin/zforce/bin/zgrep/bin/zless/bin/zmore/bin/znew/bin/zsh/bin/zsh4/boot/boot/config-2.6.18-5-amd64/boot/grub/boot/grub/default/boot/grub/device.map/boot/grub/device.map~/boot/grub/e2fs_stage1_5/boot/grub/fat_stage1_5/boot/grub/jfs_stage1_5/boot/grub/menu.lst/boot/grub/menu.lst~/boot/grub/minix_stage1_5/boot/grub/reiserfs_stage1_5/boot/grub/splashimages/boot/grub/splashimages/bike_gua.xpm.gz/boot/grub/splashimages/biosplash.xpm.gz/boot/grub/splashimages/CRW_7206_14.xpm.gz/boot/grub/splashimages/debsplash.xpm.gz/boot/grub/splashimages/fiesta.xpm.gz/boot/grub/splashimages/gentleblue.xpm.gz/boot/grub/splashimages/guitar.xpm.gz/boot/grub/stage1/boot/grub/stage2/boot/grub/xfs_stage1_5/boot/initrd.img/boot/initrd.img-2.6.17-2-amd64.bak/boot/initrd.img-2.6.18-5-amd64/boot/initrd.img-2.6.18-5-amd64.bak/boot/memtest86+.bin/boot/System.map-2.6.18-5-amd64/boot/vmlinuz/boot/vmlinuz-2.6.18-5-amd64
[SNIP]

All files are now listed as suspicous.
And to make it even more worse they are printed without any whitespace.
This results in an e-mail from the cronjob which has one line and 27MB size.
(Which makes the mail viewer or editor very busy.)


when called
bash -x /usr/sbin/chkrootkit > /tmp/chkroot.out 2>&1

it delivers the following (excerp):

+ printn 'Searching for ENYELKM rootkit default files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for ENYELKM rootkit default files... '
Searching for ENYELKM rootkit default files... + '[' -d
/etc/.enyelkmOCULTAR.ko ']'
+ '[' '' '!=' t ']'
+ echo 'nothing found'
nothing found
+ '[' '' '!=' t ']'
+ printn 'Searching for common ssh-scanners default files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for common ssh-scanners default files... '
Searching for common ssh-scanners default files... ++ /usr/bin/find /tmp
/var/tmp -name vuln.txt -o -name ssh-scan -o -name pscan2
+ files=
+ '[' '' = '' ']'
+ '[' '' '!=' t ']'
+ echo 'nothing found'
nothing found
+ '[' '' '!=' t ']'
+ printn 'Searching for suspect PHP files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for suspect PHP files... '
Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name
'*.php'
+ files=
++ /usr/bin/find /tmp /var/tmp -type f -exec head -1 '{}' ';'
++ grep php
+
fileshead='//bin/bin/arch/bin/ash/bin/bash/bin/bunzip2/bin/busybox/bin/bzcat/
bin/bzcmp/bin/bzdiff/bin/bzegrep/bin/bzexe/bin/bzfgrep/bin/bzgrep/bin/bzip2/
bin/bzip2recover/bin/bzless/bin/bzmore/bin/cat/bin/chgrp/bin/chmod/bin/chown/
bin/con2fbmap/bin/cp/bin/cpio/bin/csh/bin/dash/bin/date/bin/dd/bin/df/bin/dir/
bin/dmesg/bin/dnsdomainname/bin/echo/bin/ed/bin/egrep/bin/false/bin/fbset/bin/
fgconsole/bin/fgrep/bin/fuser/bin/grep/bin/gunzip/bin/gzexe/bin/gzip/bin/
hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/ [SNIP]



Greetings
        Juergen

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
Locale: [email protected], [email protected] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages chkrootkit depends on:
ii  binutils         2.18.1~cvs20080103-4+b1 The GNU assembler, linker
and bina
ii  debconf [debconf 1.5.21                  Debian configuration
management sy
ii  libc6            2.7-10                  GNU C Library: Shared libraries
ii  net-tools        1.60-19                 The NET-3 networking toolkit
ii  procps           1:3.2.7-8               /proc file system utilities

chkrootkit recommends no packages.

-- debconf information:
* chkrootkit/run_daily: true
* chkrootkit/run_daily_opts: -q -n
* chkrootkit/diff_mode: true

----- End forwarded message -----


--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#479187: marked as forwarded (chkrootkit report all files as suspicious, without whitespace), Debian Bug Tracking System <=