On 13 Feb 2025 at 20:39, home user via users wrote: Date sent: Thu, 13 Feb 2025 20:39:23 -0700 Subject: Re: security: wted? To: Community support for Fedora users <users@lists.fedoraproject.org> Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> From: home user via users <users@lists.fedoraproject.org> Copies to: home user <mattis...@comcast.net>
> On 2/13/25 7:33 PM, Tim wrote: > > On Thu, 2025-02-13 at 10:50 -0700, home user via users wrote: > >> When I ran chkrootkit, I got the following (including a few lines of > >> context) regarding > > > > Is there a reason you feel the need to check for rootkits? > > > > I'm under the impression that if you don't install things from outside > > of the repos, and keep SELinux running, there's a so-close-to-zero > > chance of you having a problem that it's not worth worrying about. > > > > Unlike Windows, our mail clients don't automatically run executables > > that have been attached to emails, etc. You have to choose to run > > executables. > > > J> Maybe I'm remembering wrong, but I recall over a decade ago being advised on this list to use 2 tools to watch for malware on this workstation: chkrootkit and rkhunter. (I was also advised that those tools are not perfect.) Being not an IT professional, and trusting that those list members that do the helping are experienced professionals (though not perfect), I live by that advice and run both tools weekly. Also, don't these tools check for more than just rootkits? > https://chkrootkit.org/ Shows a slightly newer version. chkrootkit 0.58b is now available! (Release Date: Jul 05 2023) https://chkrootkit.org/download/ ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz Link is to ftp, but firefox doesn't seem to to that anymore so did ncftpget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz . then tar -xvf chkrootkit.tar.gz cd chkrootkit-0.58b/ The directory has files, but only the chkrootkit as an executible shell script. Running make create the files with todays date. 2531 Feb 24 2023 strings.c 1292 Feb 24 2023 README.chkwtmp 1323 Feb 24 2023 README.chklastlog 1637 Feb 24 2023 Makefile 5965 Feb 24 2023 chkutmp.c 10057 Feb 24 2023 chkproc.c 7376 Feb 24 2023 chkdirs.c 7195 Feb 24 2023 check_wtmpx.c 5210 Jun 23 2023 ACKNOWLEDGMENTS 1337 Jun 29 2023 COPYRIGHT 7833 Jun 29 2023 chklastlog.c 9011 Jun 29 2023 ifpromisc.c 15638 Jun 29 2023 README 2283 Jun 29 2023 chkwtmp.c 582 Jun 29 2023 chkrootkit.lsm 88420 Jul 6 2023 chkrootkit These created by make. 15104 Feb 14 15:51 chklastlog 15024 Feb 14 15:51 chkwtmp 15176 Feb 14 15:51 ifpromisc 15216 Feb 14 15:51 chkproc 15080 Feb 14 15:51 chkdirs 14832 Feb 14 15:51 check_wtmpx 748544 Feb 14 15:51 strings-static 15088 Feb 14 15:51 chkutmp Then run the ./chkrootkit to test it. The chkrootkit that the dnf installs is 0.57 is in /usr/lib64/chkrootkit-0.57 and has these files. 725888 Jan 23 2024 strings-static 14 Jan 23 2024 strings -> strings-static 16048 Jan 23 2024 ifpromisc 15824 Jan 23 2024 chkwtmp 15992 Jan 23 2024 chkutmp 87233 Jan 23 2024 chkrootkit 16032 Jan 23 2024 chkproc 15928 Jan 23 2024 chklastlog 16032 Jan 23 2024 chkdirs 15968 Jan 23 2024 check_wtmpx 0 Feb 14 04:20 1 So not clear who makes the rpm to install them in that way. Ran the 0.57 and the 0.58 and redirected output to files. Then compared, and differences were 22c22 < Checking `inetd'... not found --- > Checking `inetd'... not tested 119a120,121 > Searching for Tsunami DDoS Malware.. nothing found > Searching for Linux BPF Door.. nothing found 178,180c180,182 < ! root 905650 pts/0 /usr/bin/sh /usr/lib64/chkrootkit-0.57/chkrootkit < ! root 906780 pts/0 ./chkutmp < ! root 906781 pts/0 ps ax -o tty,pid,ruser,args --- > ! root 906789 pts/0 /bin/sh ./chkrootkit > ! root 907932 pts/0 ./chkutmp > ! root 907933 pts/0 ps ax -o tty,pid,ruser,args So looks like 0.58 has some added things. rkhunter seems to have the same version as sourceforge site. > By the way, I notice that rkhunter was last patched on my workstation in June of 2022. But its webpage show its last update to be March of 2024. Our repository almost a year behind on this? > > -- > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mi...@guam.net mailto:msetze...@gmail.com mailto:msetze...@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ -- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
