The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible rootkit: Xzibit Rootkit ????

Discussion in 'Security' started by furquan, Dec 4, 2009.

  1. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    I installed the latest "Rkhunter 1.3.6 ", but according the Chirpy from "Configserver" he says that the "It does appear to currently throw a false-positive on CentOS v4.8 systems, but you should check this:Possible rootkit: Xzibit Rootkit"

    What does this mean, Should we ignore it or do we have to do something about it, coz my server never reported any rootkit on the server prior to 1.3.6 ver.

    Some one Please assist.

    Thank you
     
  2. Bailey

    Bailey Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Wisconsin
    Try installing & running chkrootkit and see if that picks it up as well.

    The best thing to do is to try to verify if it exists by using multiple resources to try to find it. If only rkhunter detects it, and chirpy (who is very respected in terms of server management) is advising it could be a false-positive in rkhunter, then it may be safe to ignore it.

    I say "may be" because there is the remote possibility, of course, the rootkit does indeed exist. So I say "may be safe to ignore it" implying that it's ultimately 100% your decision, and you have to decide what is acceptable risk for yourself.

    Sorry it's not more cut-and-dry.

    :D Bailey
     
  3. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Thank you so very much for the response :)

    I do have chkrootkit installed on my servers and they do not report anything amiss.

    All they say is "nothing infected" or "not found".

    I hope things are ok.:rolleyes:
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You should be good to go then.
     
  5. miahac

    miahac Member

    Joined:
    Aug 12, 2008
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    If you look at your /var/log/rkhunter.log you will see something like this.

    Found string 'hdparm' in file '/etc/rc.d/init.d/vmware-tools'. Possible rootkit: Xzibit Rootkit

    which for me is a false positive ... whew :)
     
  6. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Well i found this :

    " Found string 'hdparm' in file '/etc/rc.d/rc.sysinit'. Possible rootkit: Xzibit Rootkit"

    What does this mean ? am i clean ?
     
Loading...

Share This Page