Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible rootkit: Xzibit Rootkit ????

Discussion in 'Security' started by furquan, Dec 4, 2009.

  1. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    471
    Likes Received:
    4
    Trophy Points:
    168
    I installed the latest "Rkhunter 1.3.6 ", but according the Chirpy from "Configserver" he says that the "It does appear to currently throw a false-positive on CentOS v4.8 systems, but you should check this:Possible rootkit: Xzibit Rootkit"

    What does this mean, Should we ignore it or do we have to do something about it, coz my server never reported any rootkit on the server prior to 1.3.6 ver.

    Some one Please assist.

    Thank you
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    318
    Location:
    Wisconsin
    Try installing & running chkrootkit and see if that picks it up as well.

    The best thing to do is to try to verify if it exists by using multiple resources to try to find it. If only rkhunter detects it, and chirpy (who is very respected in terms of server management) is advising it could be a false-positive in rkhunter, then it may be safe to ignore it.

    I say "may be" because there is the remote possibility, of course, the rootkit does indeed exist. So I say "may be safe to ignore it" implying that it's ultimately 100% your decision, and you have to decide what is acceptable risk for yourself.

    Sorry it's not more cut-and-dry.

    :D Bailey
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    471
    Likes Received:
    4
    Trophy Points:
    168
    Thank you so very much for the response :)

    I do have chkrootkit installed on my servers and they do not report anything amiss.

    All they say is "nothing infected" or "not found".

    I hope things are ok.:rolleyes:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    655
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Canada
    You should be good to go then.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. miahac

    miahac Member

    Joined:
    Aug 12, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    51
    If you look at your /var/log/rkhunter.log you will see something like this.

    Found string 'hdparm' in file '/etc/rc.d/init.d/vmware-tools'. Possible rootkit: Xzibit Rootkit

    which for me is a false positive ... whew :)
     
  6. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    471
    Likes Received:
    4
    Trophy Points:
    168
    Well i found this :

    " Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit"

    What does this mean ? am i clean ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice