The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ifconfig INFECTED! chkrootkit report, help please

Discussion in 'General Discussion' started by sh4ka, Feb 2, 2006.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Today with my daily scan report in a server.. i got "Checking `ifconfig'... INFECTED", I am using jail binaries to make the check like this: "./chkrootkit -p ../binaries" , and in binaries I have of course the binaries chkrootkit uses for the scan.

    I'm using RHES 4 on this server.

    Well.. my question is, how can I verify that chkrootkit report is telling me is the truth... because rootkit hunter is not giving me any warning... please I need to detect if this is a false positive or a real alarm.. . In case it is a real alarm, how can I fix this?

    thkz!
     
  2. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    please, anyone ? :(
     
  3. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    16
    chkrootkit is pretty crappy, but if I remember right, it flags ifconfig as being "infected" if it's in promiscuous mode. Don't quote me on that, it's been a while. Were you maybe running tcpdump or snort or something similiar during the time the scan was run?

    I would look at the timestamp on ifconfig, get the md5 checksum for it and compare it with a known good checksum, run strings on it and look for anything unusual, note the file size and file type, etc. I'd also be curious to know if it is in promiscuous mode, and if it is, why is it sniffing?
     
  4. xerophyte

    xerophyte Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    ifconfig belong to the package named net-tools and rpm has verification system. Which allow to check the package integrity.

    do the following
    Code:
    rpm -V net-tools
    
    if there is no output, and verify if the package is really from redhat

    Code:
    rpm -qi net-tools 
    
    if all the above are okay. you can ignore the warning from chkrootkit

    refference :
    http://www.rpm.org/max-rpm/ch-rpm-verify.html#S1-RPM-VERIFY-WHAT-IT-DOES

    but if the rpm -V report any change on the package. You might want to dig more on the server to see if it been hacked

    hope that helps
     
  5. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0

    Howcome you keep posting this exact message of serveral different forums? Over at EV1 they have already replied to your question. Why would you need to duplicate and ask the same thing over here?
     
  6. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    For me its very neccessary to get more than 1 answer about the problem... and what is the problem if I ask in other forums, can't I ? ev1 forums are not my owner or even the same cPanel forums.

    You can choose your methods to investigate and pick your own conclussions about an issue... I'll do it by my way and if I need to ask in other forums because the answers are not so good, no doubt, I will .

    Thanks for your reply ;)
     
    #6 sh4ka, Feb 4, 2006
    Last edited: Feb 4, 2006
  7. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Hello All :

    My apologies to bump up this old thread. But i also got a messages from Chkrootkit that my ifconfig is infected.

    I ran these 2 commands :

    root@zeus [/usr/local]# rpm -V net-tools
    S.5..... /sbin/ifconfig

    &

    root@zeus [/usr/local]# rpm -qi net-tools
    Name : net-tools Relocations: (not relocatable)
    Version : 1.60 Vendor: Red Hat, Inc.
    Release : 78.el5 Build Date: Fri 18 Apr 2008 03:24:05 PM IST
    Install Date: Thu 10 Sep 2009 09:11:16 AM IST Build Host: hs20-bc2-3.build.redhat.com
    Group : System Environment/Base Source RPM: net-tools-1.60-78.el5.src.rpm
    Size : 798351 License: GPL
    Signature : DSA/SHA1, Mon 21 Apr 2008 05:30:59 PM IST, Key ID 5326810137017186
    Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
    Summary : Basic networking tools.
    Description :
    The net-tools package contains basic networking tools, including
    ifconfig, netstat, route, and others.


    The output of the first command is a bit confusing,....does it state that i m infected and ALSO how do i find out if my network card in in promiscuous mode ?


    Any assistance, please ?

    Thank you
     

Share This Page