[Ubuntu-BR] Como ter certeza se tenho rootkit?

Aguinaldo Dantas aguinaldodantas2 em gmail.com
Segunda Outubro 8 01:39:53 UTC 2007 

Oi gente,

Por causa de comportamento estranho no meu micro, instalei o chkrootkit e o
rkhunter, dos dois recebi as seguintes mensagens suspeitas:

Vou retirar o que aparentar ser irrelevante e o que claramente me avisar que
não foi encontrado ou está ok.

Entre os comportamentos suspeitos no Firefox estão o fato de eu não
conseguir mais postar sites no del.icio.us, não abrir uma nova janela com o
Speed Dial aberto. Até agora não tive arquivos apagados, pelo menos que eu
saiba nem travamento inexplicado.

Conto com a ajuda de todos, pois, como não sei como isto aconteceu, todos
estamos sujeitos aos mesmos problemas.

Abraços

aguinaldo em aguinaldo-desktop:~$ sudo chkrootkit
Password:
ROOTDIR is `/'

Searching for suspicious files and dirs, it may take a while...
/usr/lib/eclipse/.eclipseproduct
/usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.1.R321_v20060905/.options
/usr/lib/eclipse/plugins/org.eclipse.platform.source_3.2.2.r322_v20070119-CXMbUe9K_WF26uA/src/org.eclipse.ui.intro_3.2.2.R322_v20061214/.options
/usr/lib/eclipse/plugins/org.eclipse.platform.source_3.2.2.r322_v20070119-CXMbUe9K_WF26uA/src/org.eclipse.ui.intro.universal_3.2.1.R321_v20060905/.options
/usr/lib/eclipse/plugins/org.eclipse.help.webapp_3.2.2.R322_v20061114/.options
/usr/lib/eclipse/plugins/org.eclipse.pde.build_3.2.1.r321_v20060823/.options
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/XML/DOM/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/MIME/Base64/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/URI/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/VMware/VmPerl/.exists
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/VMware/VmdbPerl/.exists
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/VMware/HConfig/.exists
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/auto/Authen/PAM/.packlist
/usr/lib/vmware-server/perl5/site_perl/5.005/i386-linux/VMware/.exists
/usr/lib/firefox/.autoreg
/lib/linux-restricted-modules/.nvidia_new_installed
/lib/modules/2.6.20-16-generic/volatile/.mounted


Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security

Searching for anomalies in shell history files... Warning: `' is linked to
another file

Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[5282])

aguinaldo em aguinaldo-desktop:~$

aguinaldo em aguinaldo-desktop:~$ sudo rkhunter -c


Rootkit Hunter 1.2.9 is running

Determining OS... Ready


Checking binaries
* Selftests


* System tools
  Performing 'known bad' check...

Info: Check skipped - no hashes available

Check rootkits
* Default files and directories

* Suspicious files and malware

* Trojan specific characteristics
   shv4
     Checking /etc/xinetd.conf                                [ Skipped ]

* Suspicious file properties
   chmod properties

   Script replacements


* OS dependant tests

   Linux


Networking
* Check: frequently used backdoors


* Interfaces

System checks
* Allround tests
   Checking hostname... Found. Hostname is aguinaldo-desktop
   Checking boot.local/rc.local file...

   Checking history files
     Bourne Shell                                             [ OK ]

* Filesystem checks

   Scanning for hidden files...                               [ Warning! ]
---------------
/dev/.tmp-3-0
/dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools
---------------
Please inspect:  /dev/.tmp-3-0 (block special (3/0))  /dev/.static
(directory)  /dev/.udev (directory)  /dev/.initramfs (directory)

Application advisories
* Application scan

* Application version scan
   - Exim MTA 4.63                                            [ OK ]
gpg: AVISO: permissões inseguras no arquivo de configuração:
`/home/aguinaldo/.gnupg/gpg.conf'

Security advisories
* Check: Groups and Accounts
   Searching for /etc/passwd...                               [ Found ]

* Check: SSH
   Searching for sshd_config...

* Check: Events and Logging

   Checking for logging to remote system...                   [ OK (no
remote logging) ]

---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 320 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users em lists.sourceforge.net.

-----------------------------------------------------------------------
aguinaldo em aguinaldo-desktop:~$

More information about the ubuntu-br mailing list