[email protected]
[Top] [All Lists]

Bug#479187: marked as forwarded (chkrootkit report all files as suspici

Subject: Bug#479187: marked as forwarded chkrootkit report all files as suspicious, without whitespace
From: Debian Bug Tracking System
Date: Sun, 04 May 2008 09:15:06 +0000
Your message dated Sun, 4 May 2008 21:11:19 +1200
with message-id <[email protected]>
has caused the   report #479187,
regarding chkrootkit report all files as suspicious, without whitespace
to be marked as having been forwarded to the upstream software
author(s) [email protected]

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]

479187: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479187
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: Fwd: chkrootkit report all files as suspicious, without whitespace
From: Francois Marier
Date: Sun, 4 May 2008 21:11:19 +1200
Hi Nelson,

Juergen reported the following problem with the latest version of

Is there anything that could be done to help track the problem down?


----- Forwarded message from Juergen Kosel <[email protected]> -----

Package: chkrootkit
Version: 0.48-2
Severity: important


after upgrading chkrootkit to 0.48-2 it generates now the following output:

The following suspicious files and directories were found:
/usr/lib/jvm/.java-gcj.jinfo /usr/lib/icedove/.autoreg
/usr/lib/iceweasel/.autoreg /usr/lib/xulrunner/.autoreg
/usr/lib/electric/.cadrc /lib/init/rw/.ramfs


All files are now listed as suspicous.
And to make it even more worse they are printed without any whitespace.
This results in an e-mail from the cronjob which has one line and 27MB size.
(Which makes the mail viewer or editor very busy.)

when called
bash -x /usr/sbin/chkrootkit > /tmp/chkroot.out 2>&1

it delivers the following (excerp):

+ printn 'Searching for ENYELKM rootkit default files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for ENYELKM rootkit default files... '
Searching for ENYELKM rootkit default files... + '[' -d
/etc/.enyelkmOCULTAR.ko ']'
+ '[' '' '!=' t ']'
+ echo 'nothing found'
nothing found
+ '[' '' '!=' t ']'
+ printn 'Searching for common ssh-scanners default files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for common ssh-scanners default files... '
Searching for common ssh-scanners default files... ++ /usr/bin/find /tmp
/var/tmp -name vuln.txt -o -name ssh-scan -o -name pscan2
+ files=
+ '[' '' = '' ']'
+ '[' '' '!=' t ']'
+ echo 'nothing found'
nothing found
+ '[' '' '!=' t ']'
+ printn 'Searching for suspect PHP files... '
++ /bin/echo 'a\c'
++ /bin/egrep c
+ /bin/echo -n 'Searching for suspect PHP files... '
Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name
+ files=
++ /usr/bin/find /tmp /var/tmp -type f -exec head -1 '{}' ';'
++ grep php
hostname/bin/ip/bin/kernelversion/bin/kill/bin/ksh/ [SNIP]


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
Locale: [email protected], [email protected] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages chkrootkit depends on:
ii  binutils         2.18.1~cvs20080103-4+b1 The GNU assembler, linker
and bina
ii  debconf [debconf 1.5.21                  Debian configuration
management sy
ii  libc6            2.7-10                  GNU C Library: Shared libraries
ii  net-tools        1.60-19                 The NET-3 networking toolkit
ii  procps           1:3.2.7-8               /proc file system utilities

chkrootkit recommends no packages.

-- debconf information:
* chkrootkit/run_daily: true
* chkrootkit/run_daily_opts: -q -n
* chkrootkit/diff_mode: true

----- End forwarded message -----

--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#479187: marked as forwarded (chkrootkit report all files as suspicious, without whitespace), Debian Bug Tracking System <=