[SGVLUG] Re: chkrootkit question

[Matthew Gallizzi]

For whatever it's worth, another rootkit scanner I use is called rkhunter.

On 10/3/06, Claude Felizardo <cafelizardo at gmail.com> wrote:
>
> On 9/27/06, Claude Felizardo <cafelizardo at gmail.com> wrote:
> > Does anyone on the list use chkrootkit?
> >
> > I have two Linux boxes running Mandrake's msec suite of security tools
> > scheduled to run at 4 am.  The machine at work is a P4 2.8 GHz box
> > with SATA and it would usually complete its scans within the hour.  My
> > file server at home is a P3/450 with 3 IDE drives in a RAID-5
> > configuration and the scan generally took well over 12 hours but since
> > it usually completes by the time I get home and I don't often log into
> > the machine it wasn't a big deal.  I figured it was the amount of data
> > it had to scan and the software RAID.  One of the tools msec will use
> > is chkrootkit and I discovered that while it's installed at home, it
> > was never installed on my desktop at work.
> >
> > This morning I find that it's still running at work with a load avg of
> > 2.5 while my server at home is at it's normal 1.2 during the scan.  So
> > I started looking around and
> >
> > crap, i just noticed that it's been scanning the home directories of
> > everyone at work.   Well it managed to generate about 145KB of
> > Permission denied messages before I managed to kill it.
> >
> > Looks like there's a -n option I can use to tell it to skip NFS
> > mounted directories but what I'd really want to do is have it ignore
> > my backup directories as well.  msec has some config options to
> > exclude directories but I don't think its used by chkrootkit.
> >
> > I'm running chkrootkit 0.45 and from their website, i see that the
> > latest is 0.46a.  According to some of the posts to their mailing
> > list, some people had complained that the -n option didn't support
> > skipping AFS file systems and was causing a similar problem, not clear
> > on what version this was.
> >
> > Any suggestions?
> >
> > claude
>
> Got a little further with this.   I had updated to 0.46 which claimed
> to have fixed nfs skipping issues but it didn't seem to help.  Turns
> out the nfs skipping part isn't used everywhere.  I tracked my slow
> down problem to some assumptions in the /usr/sbin/chkrootkit shell
> script.
>
> The check for aliens which scans for strange files in the home
> directories assumes that the $HOME environment variable is defined.
> Unfortunately when run by root in a cron job, it's not set so it
> searches the entire directory tree including /dev, /proc and all of
> the nfs mounts.  The quickest solution was to define the HOME variable
> in the script that calls chkrootkit and is run every morning.
>
> The 2nd problem was the check for the Ducoci rootkit.  This time it
> doesn't even use the $HOME environment variable, instead it's starting
> it's search at . which when run by root as a cron again defaults to
> the top directory.  I have this block commented out for now and may
> fix the code but does anyone know what the Ducoci rootkit is?  I've
> tried searching for it but all i get is that chkrootkit scans for it.
> The code is apparently looking for the file last.cgi.
>
> Looking at the chkrootkit website, it looks like the last update was
> nearly a year ago.  I have tried contacting the two maintainers but
> have not gotten a response though it's only been a few days.  Any
> suggestions?
>
> btw, the security scans now complete within minutes.  Much better than
> the hours upon hours it was taking before.
>
> claude
>



-- 
Matthew Gallizzi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.sgvlug.net/pipermail/sgvlug/attachments/20061003/fff903b7/attachment.html