|
|
75c51f4 |
This is an additional document added to the Fedora RPM package of
|
|
|
75c51f4 |
chkrootkit.
|
|
|
75c51f4 |
-----
|
|
|
75c51f4 |
|
|
|
75c51f4 |
It is in the nature of some of chkrootkit's checks that there may be some
|
|
|
75c51f4 |
false positives among the reported findings. The chkrootkit user is
|
|
|
75c51f4 |
advised to examine such files more closely (display them, query the RPM
|
|
|
75c51f4 |
database about them, compare with backups on read-only media) and use
|
|
|
75c51f4 |
another layer of protection (such as an intrusion detection tool).
|
|
|
75c51f4 |
|
|
|
75c51f4 |
|
|
|
75c51f4 |
For example, where it is searched for hidden files below /usr/lib, which
|
|
|
75c51f4 |
begin with a dot, chkrootkit may report files which belong into valid RPM
|
|
|
75c51f4 |
packages, or which have been created at run-time by some software, and
|
|
|
75c51f4 |
which are innocent. The output could look like this (the lines have been
|
|
|
75c51f4 |
wrapped for readability):
|
|
|
75c51f4 |
|
|
|
75c51f4 |
Searching for suspicious files and dirs, it may take a while...
|
|
|
75c51f4 |
/usr/lib/firefox-1.5.0.3/.autoreg
|
|
|
75c51f4 |
/usr/lib/firefox-1.5.0.2/.autoreg
|
|
|
75c51f4 |
/usr/lib/firefox-1.5.0.8/.autoreg
|
|
|
75c51f4 |
/usr/lib/firefox-1.5.0.1/.autoreg
|
|
|
75c51f4 |
/usr/lib/qt-3.3/etc/settings/.qt_plugins_3.3rc.lock
|
|
|
75c51f4 |
/usr/lib/qt-3.3/etc/settings/.qtrc.lock
|
|
|
75c51f4 |
/usr/lib/firefox-1.5/.autoreg
|
|
|
75c51f4 |
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
|
|
|
75c51f4 |
/usr/lib/firefox-1.5.0.4/.autoreg
|
|
|
75c51f4 |
|
|
|
75c51f4 |
In this example, the files are valid files from Firefox (previous and
|
|
|
75c51f4 |
current versions), Perl and the Qt GUI toolkit, but only the ".packlist"
|
|
|
75c51f4 |
file is included in the main "perl" package. Creating and maintaining a
|
|
|
75c51f4 |
simple white-list inside chkrootkit would bear the risk that a new rootkit
|
|
|
75c51f4 |
uses the knowledge about white-listed file locations to store its
|
|
|
75c51f4 |
malicious files.
|
|
|
75c51f4 |
|
|
|
4676f30 |
Also see: http://www.chkrootkit.org/faq/
|