Paul Cartwright on 27/08/08 02:09, wrote:
Adam Hardy wrote:
What about chkrootkit? No warnings?
/etc/cron.daily/chkrootkit: The following suspicious files and directories
were found: /usr/lib/jvm/.java-gcj.jinfo /usr/lib/jvm/.java-1.5.0-sun.jinfo
/usr/lib/jvm/java-1.5.0-sun-1.5.0.16/.systemPrefs /usr/lib/icedove/.autoreg
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmdbPerl/.exists
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/HConfig/.exists
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/VMware/VmPerl/.exists
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/Authen/PAM/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/MIME/Base64/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/URI/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/auto/XML/DOM/.packlist
/usr/lib/vmware/perl5/site_perl/5.005/i386-linux/VMware/.exists
/usr/lib/xulrunner-1.9/.autoreg /usr/lib/iceweasel/.autoreg
/usr/lib/epiphany-gecko/2.22/extensions/.pyversion /lib/init/rw/.ramfs
eth0: PACKET SNIFFER(/sbin/dhclient3[2740], /usr/sbin/ntop[4196])
How about running ntop and check what your system is doing - are any ports
open that shouldn't be?
Hi Paul,
I'm not a professional security expert but I can tell you what I learnt about
linux security. Unless you set up your machine with rock-solid security from the
first minute, unless you minimise the number of ports you leave open, unless you
have strong passwords, unless you monitor the state of your box regularly, and
unless alot of other things too which you can easily find all over linux and
debian security websites, you will always be paranoid that your machine might be
rooted. In fact, even if you do that stuff, I guess you can still be paranoid.
Go to www.rootkit.com and check out what these fiendish hackers and crackers are
up to - it's quite worrying.
So really from the evidence you've given, no-one can really say whether or not
your machine is rooted. If you've noticed strange goings-on, you have reason to
be worried, so reformat and re-install.
# ps -ef|grep ntop ntop 4196 1 0 Aug13 ? 00:09:50
/usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --access-log-file
/var/log/ntop/access.log -i eth0 -p /etc/ntop/protocol.list -O /var/log/ntop
:/var/log/ntop# ls -ltr total 0 -rw-rw-rw- 1 ntop root 0 2008-07-30 11:49
access.log paulandcilla:/var/log/ntop#
That logging from ntop showed that the port it wanted was already bound - like
your ps output shows, ntop is probably running already. If it is, try surfing to
your machine with http://yourmachine.com:3000/ which should bring up the HTML
client for ntop showing you all the stats.
Regards
Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
