chkrootkit scan

**E-Tramp** · 12-28-2013, 05:05 AM

OK, I think I have attached a text file copy of a chkrootkit scan I did on my Knoppix system computer, and it mentions some suspicious files and I don't know if I shouldn't worry about them, or if they are something, what I would have to do to remove them. So, I am trying to post them here, and I really don't know if the file uploaded or not. It shows in the window when I push the attach file button, but, I don't see any indicator that the file is attached at this time. When I post I guess I will know. So, if anyone can tell me what these "suspicious files" are about and what I should do about them, I would really appreciate it.

**utu** · 12-28-2013, 04:28 PM

Greetings, E-Tramp.

FWIW, .NET files come with the monthly security updates from Microsoft if
you opt to do recommended Windows Updates.
I presume the .NET material is harmless.
Since I dont use any of their .NET services, these updates have the
somewhat the same characteristic as spam in my situation.

**E-Tramp** · 03-08-2014, 02:09 AM

I have to admit I don't get this. Why would there even be .NET files in a Knoppix OS? I don't even know why I would have any files for .NET anything. I certainly haven't installed any .NET on my Knoppix system. Obviously this looks like a directory for a java program in root,usr, but, what does it go to and why? How can I track down what it is doing there?

The following suspicious files and directories were found:
/usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo /usr/lib/mono/xbuild-frameworks/.NETFramework /usr/lib/debug/.build-id /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings /usr/lib/eclipse/p2/org.eclipse.eq

**utu** · 03-08-2014, 03:40 AM

Originally Posted by E-Tramp

The following suspicious files and directories were found:

Leaving out the part that's NOT suspicious...

Code:

I've re-formatted the 'suspicious' part of your file in post #1:

root@Microknoppix:/home/knoppix# sudo chkrootkit
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo 
/usr/lib/mono/xbuild-frameworks/.NETFramework
/usr/lib/debug/.build-id 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data/.settings 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.lock
/usr/lib/eclipse/dropins/jdt/plugins/org.eclipse.jdt.debug_3.7.1.dist/.api_description 
/usr/lib/eclipse/dropins/sdk/plugins/org.eclipse.pde.build_3.7.0.dist/.api_description 
/usr/lib/eclipse/dropins/sdk/plugins/org.eclipse.pde.build_3.7.0.dist/.options /usr/lib/eclipse/.eclipseproduct
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/28/1/.cp 
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/147/1/.cp 
/usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.500.dist/.api_description 
/usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.500.dist/.options 
/usr/lib/eclipse/plugins/org.eclipse.core.runtime.compatibility.registry_3.5.0.dist/.api_description 
/usr/lib/eclipse/plugins/org.eclipse.ui.workbench.compatibility_3.2.100.dist/.api_description 
/usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit
/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.6/.path 
/usr/lib/pymodules/python2.7/.path /usr/lib/icedove/.autoreg /lib/init/rw/.mdadm
/usr/lib/mono/xbuild-frameworks/.NETFramework 
/usr/lib/debug/.build-id 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data 
/usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data/.settings
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/28/1/.cp
/usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/147/1/.cp
/lib/init/rw/.mdadm

I don't know what it all means, but .NET is only part of what you've been told is suspicious.
Everything seems to be in either /usr/lib or /lib.
Start here, I guess.
a. what is eclipse, anyway.
b. what is .mdadm good for
c. etc...

**utu** · 03-08-2014, 05:15 AM

And then there's this to consider:
http://ubuntuforums.org/showthread.php?t=1544017

**E-Tramp** · 03-24-2014, 06:19 AM

Originally Posted by utu

And then there's this to consider:
http://ubuntuforums.org/showthread.php?t=1544017

This is a very good point, but, I still wish I knew why I am looking at .Net entries, as I thought that was a Windows operation.

**E-Tramp** · 03-24-2014, 06:14 AM

knoppix@Microknoppix:~$ apropos eclipse
eclipse (1) - extensible tool platform and Java IDE

This is what the system says about eclipse, and it seems to go with the Java .Net platform that as far as I know doesn't exist.

It would appear that the .mdadm file is part of the RAID software. I don't actually have a RAID drives either, but the motherboard is capable of supporting RAID.

knoppix@Microknoppix:~$ apropos .mdadm
mdadm.conf (5) - configuration for management of Software RAID with mdadm

knoppix@Microknoppix:~$ apropos python2.7
python2.7 (1) - an interpreted, interactive, object-oriented programmi...

Above is all I can get with apropos on Python 2.7.

Appearantly all of this has something to do with a .Net framework I don't think is even on my system. Lots of questions no answers!

Thread: chkrootkit scan

Thread Tools

Search Thread

Display

Hybrid View

chkrootkit scan

Posting Permissions