1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
^No file /var/log/chkrootkit/log\.expected$
^This file should contain expected output from chkrootkit$
^$
^Today's run produced the following output:$
^--- \[ BEGIN: cat /var/log/chkrootkit/log\.today \] ---$
^ROOTDIR is `/'$
^Checking `amd'\.\.\. not infected$
^Checking `basename'\.\.\. not infected$
^Checking `biff'\.\.\. not infected$
^Checking `chfn'\.\.\. not infected$
^Checking `chsh'\.\.\. not infected$
^Checking `cron'\.\.\. not infected$
^Checking `crontab'\.\.\. not infected$
^Checking `date'\.\.\. not infected$
^Checking `du'\.\.\. not infected$
^Checking `dirname'\.\.\. not infected$
^Checking `echo'\.\.\. not infected$
^Checking `egrep'\.\.\. not infected$
^Checking `env'\.\.\. not infected$
^Checking `find'\.\.\. not infected$
^Checking `fingerd'\.\.\. not infected$
^Checking `gpm'\.\.\. not infected$
^Checking `grep'\.\.\. not infected$
^Checking `hdparm'\.\.\. not infected$
^Checking `su'\.\.\. not infected$
^Checking `ifconfig'\.\.\. not infected$
^Checking `inetd'\.\.\. not infected$
^Checking `inetdconf'\.\.\. not infected$
^Checking `identd'\.\.\. not infected$
^Checking `init'\.\.\. not infected$
^Checking `killall'\.\.\. not infected$
^Checking `ldsopreload'\.\.\. not infected$
^Checking `login'\.\.\. not infected$
^Checking `ls'\.\.\. not infected$
^Checking `lsof'\.\.\. not infected$
^Checking `mail'\.\.\. not infected$
^Checking `mingetty'\.\.\. not infected$
^Checking `netstat'\.\.\. not infected$
^Checking `named'\.\.\. not infected$
^Checking `passwd'\.\.\. not infected$
^Checking `pidof'\.\.\. not infected$
^Checking `pop2'\.\.\. not infected$
^Checking `pop3'\.\.\. not infected$
^Checking `ps'\.\.\. not infected$
^Checking `pstree'\.\.\. not infected$
^Checking `rpcinfo'\.\.\. not infected$
^Checking `rlogind'\.\.\. not infected$
^Checking `rshd'\.\.\. not infected$
^Checking `slogin'\.\.\. not infected$
^Checking `sendmail'\.\.\. not infected$
^Checking `sshd'\.\.\. not infected$
^Checking `syslogd'\.\.\. not infected$
^Checking `tar'\.\.\. not infected$
^Checking `tcpd'\.\.\. not infected$
^Checking `tcpdump'\.\.\. not infected$
^Checking `top'\.\.\. not infected$
^Checking `telnetd'\.\.\. not infected$
^Checking `timed'\.\.\. not infected$
^Checking `traceroute'\.\.\. not infected$
^Checking `vdir'\.\.\. not infected$
^Checking `w'\.\.\. not infected$
^Checking `write'\.\.\. not infected$
^Checking `aliens'\.\.\. started$
^Searching for suspicious files in /dev\.\.\. not found$
^Searching for known suspicious directories\.\.\. not found$
^Searching for known suspicious files\.\.\. not found$
^Searching for sniffer's logs\.\.\. not found$
^Searching for HiDrootkit rootkit\.\.\. not found$
^Searching for t0rn rootkit\.\.\. not found$
^Searching for t0rn v8 \(or variation\)\.\.\. not found$
^Searching for Lion rootkit\.\.\. not found$
^Searching for RSHA rootkit\.\.\. not found$
^Searching for RH-Sharpe rootkit\.\.\. not found$
^Searching for Ambient \(ark\) rootkit\.\.\. not found$
^Searching for suspicious files and dirs\.\.\. WARNING$
^WARNING: The following suspicious files and directories were found:$
^(/usr)?/lib/\.1 \[Not from a Debian package\]$
^(/usr)?/lib/\.aaa \[Not from a Debian package\]$
^(/usr)?/lib/\.1DIR \[Not from a Debian package\]$
^(/usr)?/lib/\.\.\.DIR \[Not from a Debian package\]$
^(/usr)?/lib/\.bbb \[Not from a Debian package\]$
^(/usr)?/lib/\.DIR-aaa \[Not from a Debian package\]$
^(/usr)?/lib/\.\.\. \[Not from a Debian package\]$
^$
^Searching for LPD Worm\.\.\. not found$
^Searching for Ramen Worm rootkit\.\.\. not found$
^Searching for Maniac rootkit\.\.\. not found$
^Searching for RK17 rootkit\.\.\. not found$
^Searching for Ducoci rootkit\.\.\. not found$
^Searching for Adore Worm\.\.\. not found$
^Searching for ShitC Worm\.\.\. not found$
^Searching for Omega Worm\.\.\. not found$
^Searching for Sadmind/IIS Worm\.\.\. not found$
^Searching for MonKit\.\.\. not found$
^Searching for Showtee rootkit\.\.\. not found$
^Searching for OpticKit\.\.\. not found$
^Searching for T\.R\.K\.\.\. not found$
^Searching for Mithra rootkit\.\.\. not found$
^Searching for OBSD rootkit v1\.\.\. not tested$
^Searching for LOC rootkit\.\.\. not found$
^Searching for Romanian rootkit\.\.\. not found$
^Searching for HKRK rootkit\.\.\. not found$
^Searching for Suckit rootkit\.\.\. not found$
^Searching for Volc rootkit\.\.\. not found$
^Searching for Gold2 rootkit\.\.\. not found$
^Searching for TC2 rootkit\.\.\. not found$
^Searching for Anonoying rootkit\.\.\. not found$
^Searching for ZK rootkit\.\.\. not found$
^Searching for ShKit rootkit\.\.\. not found$
^Searching for AjaKit rootkit\.\.\. not found$
^Searching for zaRwT rootkit\.\.\. not found$
^Searching for Madalin rootkit\.\.\. not found$
^Searching for Fu rootkit\.\.\. not found$
^Searching for Kenga3 rootkit\.\.\. not found$
^Searching for ESRK rootkit\.\.\. not found$
^Searching for rootedoor\.\.\. not found$
^Searching for ENYELKM rootkit\.\.\. not found$
^Searching for common ssh-scanners\.\.\. not found$
^Searching for Linux/Ebury 1\.4 - Operation Windigo\.\.\. (not found|not tested)$
^Searching for Linux/Ebury 1\.6\.\.\. (not found|not tested)$
^Searching for 64-bit Linux Rootkit\.\.\. not found$
^Searching for 64-bit Linux Rootkit modules\.\.\. not found$
^Searching for Mumblehard\.\.\. not found$
^Searching for Backdoor\.Linux\.Mokes\.a\.\.\. not found$
^Searching for Malicious TinyDNS\.\.\. not found$
^Searching for Linux\.Xor\.DDoS\.\.\. WARNING$
^WARNING: Possible Linux\.Xor\.DDoS installed:$
^/tmp/test-chkrootkit-false-positive \[Not from a Debian package\]$
^/tmp/clean/.+$
^Searching for Linux\.Proxy\.1\.0\.\.\. not found$
^Searching for CrossRAT\.\.\. not found$
^Searching for Hidden Cobra\.\.\. not found$
^Searching for Rocke Miner rootkit\.\.\. not found$
^Searching for PWNLNX4 lkm rootkit\.\.\. not found$
^Searching for PWNLNX6 lkm rootkit\.\.\. not found$
^Searching for Umbreon lrk\.\.\. not found$
^Searching for Kinsing\.a backdoor rootkit\.\.\. not found$
^Searching for RotaJakiro backdoor rootkit\.\.\. not found$
^Searching for Syslogk LKM rootkit\.\.\. not found$
^Searching for Kovid LKM rootkit\.\.\. not tested$
^Searching for Tsunami DDoS Malware rootkit\.\.\. not found$
^Searching for Linux BPF Door\.\.\. not found$
^Searching for suspect PHP files\.\.\. not found$
^Searching for zero-size shell history files in /root\.\.\. not found$
^Searching for hardlinked shell history files in /root\.\.\. not found$
^Checking `aliens'\.\.\. finished$
^Checking `asp'\.\.\. not infected$
^Checking `bindshell'\.\.\. not found$
^Checking `lkm'\.\.\. started$
^Searching for Adore LKM\.\.\. not tested$
^Searching for sebek LKM \(Adore based\)\.\.\. not tested$
^Searching for knark LKM rootkit... not found$
^Searching for for hidden processes with chkproc\.\.\. not found$
^Searching for for hidden directories using chkdirs\.\.\.
^Checking `lkm'\.\.\. finished$
^Checking `rexedcs'\.\.\. not found$
^Checking `sniffer'\.\.\. not found$
^Checking `w55808'\.\.\. not found$
^Checking `wted'\.\.\. not (tested|found)$
^Checking `scalper'\.\.\. not found$
^Checking `slapper'\.\.\. not found$
^Checking `z2'\.\.\. not (tested|found)$
^Checking `chkutmp'\.\.\.
^Checking `OSX_RSPLUG'\.\.\. not tested$
^--- \[ END: cat /var/log/chkrootkit/log\.today \] ---$
^To create this file containing all output from today's run, do \(as root\)$
^# cp -a /var/log/chkrootkit/log\.today /var/log/chkrootkit/log\.expected$
^# \(note that unedited output is in /var/log/chkrootkit/log\.today\.raw\)$
|
