[gentoo-amd64] rkhunter results

[gentoo-amd64] rkhunter results

[Paul Stear]

Hi all,
rkhunter runs every day and reports the following:-

System checks summary
=====================

File properties checks...
    Files checked: 142
    Suspect files: 141

Rootkit checks...
    Rootkits checked : 246
    Possible rootkits: 2
    Rootkit names    : Xzibit Rootkit, Dica-Kit Rootkit

Any idea how I find and remove these Rootkits?

thanks for any help
Paul
-- 
This message has been sent using kmail on gentoo.

Re: [gentoo-amd64] rkhunter results

[Thanasis]

 on 09/28/2010 12:34 PM Paul Stear wrote the following:
> Hi all,
> rkhunter runs every day and reports the following:-
>
> System checks summary
> =====================
>
> File properties checks...
>     Files checked: 142
>     Suspect files: 141
>
> Rootkit checks...
>     Rootkits checked : 246
>     Possible rootkits: 2
>     Rootkit names    : Xzibit Rootkit, Dica-Kit Rootkit
>
> Any idea how I find and remove these Rootkits?
>
> thanks for any help
> Paul
Did you check the log file (/var/log/rkhunter.log)?

[gentoo-amd64] Re: rkhunter results

[Duncan]

Thanasis posted on Sat, 09 Oct 2010 12:28:26 +0300 as excerpted:

> on 09/28/2010 12:34 PM Paul Stear wrote the following:
>> Hi all,
>> rkhunter runs every day and reports the following:-
>>
>> System checks summary
>> =====================
>>
>> File properties checks...
>>     Files checked: 142
>>     Suspect files: 141
>>
>> Rootkit checks...
>>     Rootkits checked : 246
>>     Possible rootkits: 2
>>     Rootkit names    : Xzibit Rootkit, Dica-Kit Rootkit
>>
>> Any idea how I find and remove these Rootkits?
>>
>> thanks for any help
>> Paul
> Did you check the log file (/var/log/rkhunter.log)?

If rkhunter is based on recorded file checksums, it's obviously going to 
have false-positives every time you update the files it checks, which 
tends to be reasonably frequently for many gentoo users (especially ~arch 
users), since given gentoo's rolling update nature.

That's very possibly why it's saying 141 out of 142 files are suspect.  A 
possible workaround would be running it before every update, to be sure, 
then running it after the update to update its checksums.

But that doesn't explain the possible rootkits detected.  Of course, 
depending on how it detects specific rootkits, that too may have false 
positives.  If it happens to the big AV folks like Norton and McAfee, and 
it does, it's going to happen to everyone, occasionally.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-amd64] rkhunter results

[Lie Ryan]

On Tue, Sep 28, 2010 at 7:34 PM, Paul Stear <gentoo@appjaws.plus.com> wrote:
> Hi all,
> rkhunter runs every day and reports the following:-
>
> System checks summary
> =====================
>
> File properties checks...
>    Files checked: 142
>    Suspect files: 141
>
> Rootkit checks...
>    Rootkits checked : 246
>    Possible rootkits: 2
>    Rootkit names    : Xzibit Rootkit, Dica-Kit Rootkit
>
> Any idea how I find and remove these Rootkits?

FYI, some info about Dica-Kit from Sophos:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdicakit.html

and a quick google search about Xzibit seems to say that rkhunter
often give false positive for Xzibit. You might want to research about
Xzibit, and assess whether or not your case is false positive.