The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Chkrootkit Findings... Please Help!

Discussion in 'General Discussion' started by nitromax, Feb 15, 2004.

  1. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    When Chkrootkit runs it emails me the following... should I be concerned? Is anyone else getting this?

    /usr/lib/perl5/5.6.1/i386-linux/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CPAN/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Storable/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/DB_File/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/ExtUtils/MakeMaker/.packlist /usr/lib/perl5/5.6.1/i686-linux/auto/CGI/.packlist /usr/lib/perl5/5.6.1/i686-linux/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Digest/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5CD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQV5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/ICQ/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/CPAN/WAIT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/Balanced/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Text/Glob/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Filter/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Apache/Mysql/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/mod_perl/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Data/Dumper/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Number/Compare/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/File/Find/Rule/.packlist /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/Storable/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap /usr/lib/php/.registry INFECTED (PORTS: 465)
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Nothing to be concerned about. That huge list of files are perl .package files and can be ignored (.chkrootkit looks for any files on disk starting only with a . in vulnerable places)

    Port 465 is for secure SMTP or smtps and is exim and can also be ignored.
     
  3. nitromax

    nitromax Well-Known Member

    Joined:
    Feb 12, 2002
    Messages:
    189
    Likes Received:
    0
    Trophy Points:
    16
    Ok, thanks. Do you know if there is a way to stop chkrootkit from looking at those files or directories so that it stops reporting that?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Within chkrootkit, no, I don't thinks so, no. It's one of the "quirks" of chkrootkit. It's often discussed on the chkrootkit discussion group. You soon learn to ignore them.

    If you really want to ignore them, you could do something like this:

    ./chkrootkit -q | grep -v .packlist
     
  5. swampy

    swampy Well-Known Member

    Joined:
    Jan 30, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    0
    chkrootkit

    i have a new box 3 days old i have installed this chkrootkit on my box and have scanned it manually i get this it says i am infected

    Checking `bindshell'... INFECTED (PORTS: 465)

    i do not understand with being a newbie what do i have to do to remove the infected thing also i have tried to set up a cron to email me but all i get is a blank email this is my script can some one please tell me if this is ok

    0 1 * * * cd /root/chkrootkit-0.43 ./chkrootkit 2>&1 | mail -s "chkrootkit output" root
     
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Port 465 is a false alarm. You can safely ignore it.
     
  7. swampy

    swampy Well-Known Member

    Joined:
    Jan 30, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    0
    thanks m8
     
  8. dennis

    dennis Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
     
  9. swampy

    swampy Well-Known Member

    Joined:
    Jan 30, 2004
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    0
    Re: Re: Chkrootkit Findings... Please Help!

    as above I was told 465 is a false alarm
     

Share This Page