You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2021-05-09 07:48
- aluma
- Member
- From: Ukraine
- Registered: 2018-03-12
- Posts: 136
Warning rootkit.
Q4os-2.7 with the latest updates.
From chkrootkit output:
"spicious files and directories were found:
/usr/lib/jvm/.java-1.8.0-openjdk-i386.jinfo /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit / usr / lib / python3 / dist -packages / PyQt5 / uic / widget-plugins / .noinit".
From rkhunter's output:
"Checking for hidden files and directories [Warning]
[09:37:54] Warning: Hidden directory found: /etc/.java
[09:37:54] Warning: Hidden file found: /usr/sbin/.watch_apt_busy.prepared: POSIX shell script, ASCII text executable
[09:37:54] Warning: Hidden file found: /usr/sbin/.watch_apt_reboot_required.prepared-todo: POSIX shell script, ASCII text executable".
What do you think to do about it?
Offline
#2 2021-05-09 14:33
- Tolkem
- Member
- Registered: 2019-10-06
- Posts: 487
Re: Warning rootkit.
What do you think to do about it?
It's been years since I last used chkrootkit, and the reason is that it throws many false-positives, and this one looks like it is just that.
https://www.howtoforge.com/community/th … ive.83594/
https://seiler.it/checking-root-kit-dea … positives/
Offline
#3 2021-05-09 14:49
- q4osteam
- Q4OS Team
- Registered: 2015-12-06
- Posts: 4,230
- Website
Re: Warning rootkit.
Yes, that looks like a false positive, anyway Debian upstream issue.
Offline
#4 2021-05-09 15:55
- aluma
- Member
- From: Ukraine
- Registered: 2018-03-12
- Posts: 136
Re: Warning rootkit.
Got it, thanks guys.
In fact, in addition to empty files / directories, rkhunter swears at two hidden executable files from the package q4os-base.
But, probably it should be so.
Offline
#5 2021-05-09 16:08
- q4osteam
- Q4OS Team
- Registered: 2015-12-06
- Posts: 4,230
- Website
Re: Warning rootkit.
.. rkhunter swears at two hidden executable files from the package q4os-base.
Which files ? What does it report exactly ?
Offline
#6 2021-05-09 17:04
- aluma
- Member
- From: Ukraine
- Registered: 2018-03-12
- Posts: 136
Re: Warning rootkit.
aluma wrote:.. rkhunter swears at two hidden executable files from the package q4os-base.
Which files ? What does it report exactly ?
I posted it in the first post, this is from the log rkhunter:
"[09:37:54] Warning: Hidden file found: /usr/sbin/.watch_apt_busy.prepared: POSIX shell script, ASCII text executable
[09:37:54] Warning: Hidden file found: /usr/sbin/.watch_apt_reboot_required.prepared-todo: POSIX shell script, ASCII text executable"."
/usr/sbin/.watch_apt_busy.prepared, /usr/sbin/.watch_apt_reboot_required.prepared-todo - files q4os-base.
Last edited by aluma (2021-05-09 17:05)
Offline
#7 2021-05-09 19:00
- q4osteam
- Q4OS Team
- Registered: 2015-12-06
- Posts: 4,230
- Website
Re: Warning rootkit.
Well, we see now. These files are just short shell script, you can edit them and view the code, nothing dubious. In anyway, we will move them to a more proper location, thanks for reporting.
Offline
#8 2021-05-09 19:45
- aluma
- Member
- From: Ukraine
- Registered: 2018-03-12
- Posts: 136
Re: Warning rootkit.
Anyway, thanks for a great job!
You managed to combine debian with trinity. I can give you a practical example when this fails.
Just a note.
Based on UNIX concepts (the ancestors of linux), hidden files are configuration files, hidden so as not to interfere with application files. Hence, the hidden executable is nonsense.
But since the advent of systemd, when the system settings from / etc / have been "smeared" across the directory tree, I am no longer surprised. 
Offline
Pages: 1