Chkrootkit Findings... Please Help!

nitromax

nitromax

Well-Known Member
Feb 12, 2002
189
0
316
When Chkrootkit runs it emails me the following... should I be concerned? Is anyone else getting this?

/usr/lib/perl5/5.6.1/i386-linux/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CPAN/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Storable/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/DB_File/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/ExtUtils/MakeMaker/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CGI/.packlist /usr/lib/perl5/5.6.1/i686-linux/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5CD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQ/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/CPAN/WAIT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/Balanced/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/Glob/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Filter/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/Dumper/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Number/Compare/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/File/Find/Rule/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Storable/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap /usr/lib/php/.registry INFECTED (PORTS: 465)
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Nothing to be concerned about. That huge list of files are perl .package files and can be ignored (.chkrootkit looks for any files on disk starting only with a . in vulnerable places)

Port 465 is for secure SMTP or smtps and is exim and can also be ignored.
 
nitromax

nitromax

Well-Known Member
Feb 12, 2002
189
0
316
Ok, thanks. Do you know if there is a way to stop chkrootkit from looking at those files or directories so that it stops reporting that?
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Within chkrootkit, no, I don't thinks so, no. It's one of the "quirks" of chkrootkit. It's often discussed on the chkrootkit discussion group. You soon learn to ignore them.

If you really want to ignore them, you could do something like this:

./chkrootkit -q | grep -v .packlist
 
S

swampy

Well-Known Member
Jan 30, 2004
148
0
166
chkrootkit

i have a new box 3 days old i have installed this chkrootkit on my box and have scanned it manually i get this it says i am infected

Checking `bindshell'... INFECTED (PORTS: 465)

i do not understand with being a newbie what do i have to do to remove the infected thing also i have tried to set up a cron to email me but all i get is a blank email this is my script can some one please tell me if this is ok

0 1 * * * cd /root/chkrootkit-0.43 ./chkrootkit 2>&1 | mail -s "chkrootkit output" root
 
D

dennis

Well-Known Member
Apr 22, 2003
88
0
156
Singapore
Originally posted by nitromax
When Chkrootkit runs it emails me the following... should I be concerned? Is anyone else getting this?

linux/auto/Storable/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap /usr/lib/php/.registry INFECTED (PORTS: 465)
Click to expand...
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
N Passwd Infected Chkrootkit Security 6
B chkrootkit email says Suspect directory dev/rd/cdb FOUND! Security 1
C cronjob path for lynis and chkrootkit Security 4
A SOLVED Passwd Infected Chkrootkit Security 9
T Question about chkrootkit entry Security 2
Similar threads
Passwd Infected Chkrootkit
chkrootkit email says Suspect directory dev/rd/cdb FOUND!
cronjob path for lynis and chkrootkit
SOLVED Passwd Infected Chkrootkit
Question about chkrootkit entry
Top Bottom