For whatever it's worth, another rootkit scanner I use is called rkhunter. <br><br><div><span class="gmail_quote">On 10/3/06, <b class="gmail_sendername">Claude Felizardo</b> <<a href="mailto:cafelizardo@gmail.com">cafelizardo@gmail.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On 9/27/06, Claude Felizardo <<a href="mailto:cafelizardo@gmail.com">
cafelizardo@gmail.com</a>> wrote:<br>> Does anyone on the list use chkrootkit?<br>><br>> I have two Linux boxes running Mandrake's msec suite of security tools<br>> scheduled to run at 4 am. The machine at work is a P4
2.8 GHz box<br>> with SATA and it would usually complete its scans within the hour. My<br>> file server at home is a P3/450 with 3 IDE drives in a RAID-5<br>> configuration and the scan generally took well over 12 hours but since
<br>> it usually completes by the time I get home and I don't often log into<br>> the machine it wasn't a big deal. I figured it was the amount of data<br>> it had to scan and the software RAID. One of the tools msec will use
<br>> is chkrootkit and I discovered that while it's installed at home, it<br>> was never installed on my desktop at work.<br>><br>> This morning I find that it's still running at work with a load avg of<br>>
2.5 while my server at home is at it's normal 1.2 during the scan. So<br>> I started looking around and<br>><br>> crap, i just noticed that it's been scanning the home directories of<br>> everyone at work. Well it managed to generate about 145KB of
<br>> Permission denied messages before I managed to kill it.<br>><br>> Looks like there's a -n option I can use to tell it to skip NFS<br>> mounted directories but what I'd really want to do is have it ignore
<br>> my backup directories as well. msec has some config options to<br>> exclude directories but I don't think its used by chkrootkit.<br>><br>> I'm running chkrootkit 0.45 and from their website, i see that the
<br>> latest is 0.46a. According to some of the posts to their mailing<br>> list, some people had complained that the -n option didn't support<br>> skipping AFS file systems and was causing a similar problem, not clear
<br>> on what version this was.<br>><br>> Any suggestions?<br>><br>> claude<br><br>Got a little further with this. I had updated to 0.46 which claimed<br>to have fixed nfs skipping issues but it didn't seem to help. Turns
<br>out the nfs skipping part isn't used everywhere. I tracked my slow<br>down problem to some assumptions in the /usr/sbin/chkrootkit shell<br>script.<br><br>The check for aliens which scans for strange files in the home
<br>directories assumes that the $HOME environment variable is defined.<br>Unfortunately when run by root in a cron job, it's not set so it<br>searches the entire directory tree including /dev, /proc and all of<br>the nfs mounts. The quickest solution was to define the HOME variable
<br>in the script that calls chkrootkit and is run every morning.<br><br>The 2nd problem was the check for the Ducoci rootkit. This time it<br>doesn't even use the $HOME environment variable, instead it's starting<br>it's search at . which when run by root as a cron again defaults to
<br>the top directory. I have this block commented out for now and may<br>fix the code but does anyone know what the Ducoci rootkit is? I've<br>tried searching for it but all i get is that chkrootkit scans for it.<br>The code is apparently looking for the file
last.cgi.<br><br>Looking at the chkrootkit website, it looks like the last update was<br>nearly a year ago. I have tried contacting the two maintainers but<br>have not gotten a response though it's only been a few days. Any
<br>suggestions?<br><br>btw, the security scans now complete within minutes. Much better than<br>the hours upon hours it was taking before.<br><br>claude<br></blockquote></div><br><br clear="all"><br>-- <br>Matthew Gallizzi