OK, I think I have attached a text file copy of a chkrootkit scan I did on my Knoppix system computer, and it mentions some suspicious files and I don't know if I shouldn't worry about them, or if they are something, what I would have to do to remove them. So, I am trying to post them here, and I really don't know if the file uploaded or not. It shows in the window when I push the attach file button, but, I don't see any indicator that the file is attached at this time. When I post I guess I will know. So, if anyone can tell me what these "suspicious files" are about and what I should do about them, I would really appreciate it.
FWIW, .NET files come with the monthly security updates from Microsoft if
you opt to do recommended Windows Updates.
I presume the .NET material is harmless.
Since I dont use any of their .NET services, these updates have the
somewhat the same characteristic as spam in my situation.
I have to admit I don't get this. Why would there even be .NET files in a Knoppix OS? I don't even know why I would have any files for .NET anything. I certainly haven't installed any .NET on my Knoppix system. Obviously this looks like a directory for a java program in root,usr, but, what does it go to and why? How can I track down what it is doing there?
The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo /usr/lib/mono/xbuild-frameworks/.NETFramework /usr/lib/debug/.build-id /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings /usr/lib/eclipse/p2/org.eclipse.eq
The following suspicious files and directories were found:
Leaving out the part that's NOT suspicious...
Code:
I've re-formatted the 'suspicious' part of your file in post #1:
root@Microknoppix:/home/knoppix# sudo chkrootkit
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo
/usr/lib/mono/xbuild-frameworks/.NETFramework
/usr/lib/debug/.build-id
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data/.settings
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.lock
/usr/lib/eclipse/dropins/jdt/plugins/org.eclipse.jdt.debug_3.7.1.dist/.api_description
/usr/lib/eclipse/dropins/sdk/plugins/org.eclipse.pde.build_3.7.0.dist/.api_description
/usr/lib/eclipse/dropins/sdk/plugins/org.eclipse.pde.build_3.7.0.dist/.options /usr/lib/eclipse/.eclipseproduct
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/28/1/.cp
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/147/1/.cp
/usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.500.dist/.api_description
/usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.500.dist/.options
/usr/lib/eclipse/plugins/org.eclipse.core.runtime.compatibility.registry_3.5.0.dist/.api_description
/usr/lib/eclipse/plugins/org.eclipse.ui.workbench.compatibility_3.2.100.dist/.api_description
/usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.6/.path
/usr/lib/pymodules/python2.7/.path /usr/lib/icedove/.autoreg /lib/init/rw/.mdadm
/usr/lib/mono/xbuild-frameworks/.NETFramework
/usr/lib/debug/.build-id
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data/.settings
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/28/1/.cp
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/147/1/.cp
/lib/init/rw/.mdadm
I don't know what it all means, but .NET is only part of what you've been told is suspicious.
Everything seems to be in either /usr/lib or /lib.
Start here, I guess.
a. what is eclipse, anyway.
b. what is .mdadm good for
c. etc...
knoppix@Microknoppix:~$ apropos eclipse
eclipse (1) - extensible tool platform and Java IDE
This is what the system says about eclipse, and it seems to go with the Java .Net platform that as far as I know doesn't exist.
It would appear that the .mdadm file is part of the RAID software. I don't actually have a RAID drives either, but the motherboard is capable of supporting RAID.
knoppix@Microknoppix:~$ apropos .mdadm
mdadm.conf (5) - configuration for management of Software RAID with mdadm