I ran a chkrootkit scan and found this: The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.8/.autoreg /usr/lib/firefox 3.6.8/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo
How do I get rid of this suspicious file?
I got this warning in the log of rkhunter:Quote:
Checking /dev for suspicious file types [ Warning ]
[13:37:16] Warning: Suspicious file types found in /dev:
[13:37:16] /dev/shm/pulse-shm-43136623: data
[code]....
I have been running rkhunter but how do i view the /var/log/rkhunter.log? I have tried using: sudo /var/log/rkhunter.log but all i got was "Command not found?
View 6 Replies View RelatedI'm quite new to Ubuntu and I am running Ubuntu Studio 10.04 . I have just installed Klam AV and had it scan my computer . I was surprised to find that it had found two 'viruses' . I don't know if anyone can help me in finding out if they are real or only false positives . The following is the output that I received .
Name of File
/usr/src/fglrx-8.723.1/libfglrx_ip.a.GCC3 and GCC4
Name of Problem
Heuristics.Broken.Executable
Status
Loose
Does anyone know if this is a problem.
I am a pretty new user to linux, I am trying to run a program called car whisperer. The file can be downloaded here trifinite site - the home of the trifinite.group the readme says to install just type $make #make install but this does nothing and I am not sure how to install it. There is a file called makefile which I try to run in terminal but it just gives me all sorts of errors about not being able to find files and directories. I have seen it run and the person simply types ./carwhisperer to run the program but I also get no directory or file here as well (probably cause I have not installed). I was able to install some programs using sudo apt-get install (filename) but I haven't found this command to work for this program.
View 5 Replies View RelatedI know that there is little need for me to install an anti-virus etc - but - I was thinking, it is a good idea to scan folders and files that I send to colleagues that run windows.Whats the best way and programme to do this? I guess I simply install an AV programme and thats it!
View 5 Replies View RelatedWhat the best method is for checking for rootkits? I have heard that it is best not to install and run these programs on the distro itself. Would it be possible to install them on another distro/partition and then use them to check for rootkits on my main partition/distro (Ubuntu)?
View 9 Replies View RelatedLooks like my firefox has been compromised and i have a packet sniffer. Not sure what to do.Should I just delete the suspicous files? here's the chkrootkit log:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
[code]....
I had a hack on my oscommerce website recently. I have put in the relevant security patches but I need to check whether the hacker left any code changes in my files. What is a good file comparison software for linux? I need it to scan though the current files and folders and compare it the original default oscommerce installation so I can check the code.
View 14 Replies View RelatedI've got a simple command that does almost what I want.
The following will locate all files with a suffix of '_compressed.swf' and copy each into its same directory with a '.bak2' appended:
However, I need to replace '_compressed.swf' with '_content.swf' I'd like to use find, rather than recursive flag on cp for consistency.
Objective
In: /content/somefile_compressed.swf
Out: /content/somefile_content.swf
How to determine what type of files clamav can scan? For example, if there is no unrar installed it can't scan files in it. So is there any way to find out all types of files that clamav can't scan?
View 2 Replies View RelatedI am going through the motions of testing the checkrootkit and rootkit hunter applications on one of our servers. I wanted to get feedback from those who know both as to which of the two is better at 'sniffing' out rootkits. Alternatively, can both be installed without their interfering with the other?
View 4 Replies View RelatedLet's say you have a host with some kind of locally installed root kit detector/scanner.
If someone managed to get root access to that box. Wouldn't the first thing to do, before installing a root kit, be to remove any kind root kit detector?
What the most harmful thing can malware program started as separate limited user account do if it has access to the X server? Network and filesystem things are already considered by chroot and netfilter.
It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?
I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?
I come to Ubuntu with the notion that it is much more secure than Windows. In XP I had an anti-virus, third-party firewall and sundry softwares against spybots, rootkits etc. The anitivirus blocked the suspicious web pages while browsing. I generally avoided public networks, carrying a portable internet device Do I need similar stuff with Ubuntu.
View 9 Replies View RelatedI know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
Two days ago we started to receive the following message:
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
/lib/init/rw/.mdadm /lib/init/rw/.ramfs
/lib/init/rw/.mdadm
INFECTED (PORTS: 4369)
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
And about at the same time (a day before that) we have set up new rules for the queueing disciplines using 'tc' on our Debian lenny box (these rules are for some of the experiments we are carrying out). I have ran the chkrootkit manually and this message (as above) keeps appearing, while the rkhunter tool does not complain about these items. Could there be a connection between setting up the new qdisc's and the chkrootkit "INFECTED" messages?
I have suspicious requests in my haproxy logs from multiple sources to the same target. I could deny them in /etc/hosts.deny, but there are too many to keep track of. Is there a way to deny all requests to a specific target either in haproxy or through iptables?
Here's an example of the request: Apr 12 15:11:37 127.0.0.1 haproxy[28672]: 41.105.42.150:27072 [12/Apr/2011:15:11:37.315] web_servers frontend_farm/######## 3/0/1/1/169 404 1073 - - --NI 3/3/2/1/0 0/0 "GET /images/comment_icon.gif HTTP/1.1"
I've commented out my amazon instance id for security purposes. The request is for comment_icon.gif which does not exist. All requests go to that. The source IPs are from different countries as well. Blocking a certain country won't work either. Basically, if there was a way to send all requests for comment_icon.gif to /dev/null or something it would work.
My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.Here is a sample of it:
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
[code].....
I have several directories, each owned by root and a group of the same name,By setting the sgid bit, I made sure that newly created files and directories are owned by the correct group, and that directories have the sgid bit set too.On each newly created directory or file, the permissions are set to 755. This is because this is the default umask, and I cannot change a users umask. I actually only want files created below a particular directory to have group write access, inheriting this behaviour to newly created directories properly.I'm not on samba or NFS, I have to do this for SSH users.The filesystem is ext3.I started to fool around with ACLs, but couldn't find what I was looking for.
View 3 Replies View RelatedWhen installing these progs on Lucid it comes with exim4,I noticed this in the terminal output. What has exim4 to do with rkhunter and/or chkrootkit?
View 3 Replies View RelatedIs there anything suspicious about this auth.log? I find the many CRON outputs and the part with gconftool weird. Also, why don't I have the permission to view "/var/log/btmp1". It has never happened before.
I'm using GNOME's log viewer.
[Code]...
i am in need of linux help. iam at college and i need this back/restore script to pass this final part of an assessment. i require a backup script that will not only backup but also restore files to the relevent directories. e.g. users are instructed to store all wordprocessor files in a directory named wp. so i am needing to create a backup directory and 3 directories within that and some files within the 3 directories and then back them up ot restore them. l know i should/have to do this myself by been trying to get/understand info for the last few days and came up with zero.
View 14 Replies View RelatedI just bought an hp 6500 wireless printer, and after taking 5 minutes to set it up (amazing how easy it is to get hardware working that supported by Linux) I was happily printing...But- I haven't managed to get it to scan from my desktop pc running 9.04. Tells me no device is found. I added the printer to a laptop running 9.10, and it scanned perfectly straight away...
I've been through the Ubuntu help documentation and haven't found a solution.I think that maybe Turbo Print (for our old Canon printer) might have messed something up. I had to uninstall Turbo Print to get the printer to work (it hijacked Ubuntu's built in printing stuff).
I am writing a script, in that my requirement is, if all the fill types stored in one directory from that we need to separate different different directories based on the file types.
for example in a directory(anish). 5 different types files
1- directory
2- .txt files
2- .sh files
like that and my requirement is the (1- directory is moved to one new directory(dir) which we are given in the script)and (2 .txt files are moved to another new directory(test) which we are given in the script)and ( 2 .sh files are moved to another new directory(bash) which we are given in the scrip)finally the directory anish should be empty..using bash script.how it is possible !!
The one thing that has stopped me switching over to Ubuntu was getting my scanner to work. I finally resolved this issue. Here are the set I followed to get it working. When trying to scan with XSane I would get the device not found alert. Using the sane-find-scanner command would find the scanner as a USB device. found USB scanner (vendor=0x04b8, product=0x0851) at libusb:001:006 I amended the "rules" file for xsane /lib/udev/rules.d/40-libsane.rules added the two following lines
[code]...
Now I have a fully working colour scanner, bye bye windows
I have tried several times to do an av scan with the ASUS provided software and each time it says "failed" NO av database found. I tried the "hold depressed the power button and press F9 several times and reboot to factory settings" Nada, zip -nothing. It does update the av definitions okay. Do I really need to download a good FREE av? If so, which one?
Do I need a firewall? Cox broadband is my ISP and the free Macaffee does not support my linux os!
The last few times, I booted ubuntu, the automatic disk check ran and told me that there were "serious errors on /". This had happened once before but that time, I found nothing wrong on booting into ubuntu. However, this time, the scan doesn't seem to progress any further after detecting the error. What is the problem?
View 7 Replies View RelatedI have ordered a server with OS:
Ubuntu Server 11.04
After a quick nmap scan I found out a few open ports. What is using these ports?
1102/tcp filtered adobeserver-1
1201/tcp open nucleus-sand
I've read that there are a lot of rootkits that exist for linux. MS Windows has tools where you can boot a "portable" scanner from a CD and scan your whole Windows installation for rootkits. This way you can even scan boot sectors because you are never actually starting your installed Windows.
Is there anything available like this for Ubuntu? Is there a scanner I can run off the LIVE CD for example to scan my ubuntu installation for rootkits?
