Results 1 to 7 of 7

Thread: chkrootkit scan

  1. #1

    chkrootkit scan

    OK, I think I have attached a text file copy of a chkrootkit scan I did on my Knoppix system computer, and it mentions some suspicious files and I don't know if I shouldn't worry about them, or if they are something, what I would have to do to remove them. So, I am trying to post them here, and I really don't know if the file uploaded or not. It shows in the window when I push the attach file button, but, I don't see any indicator that the file is attached at this time. When I post I guess I will know. So, if anyone can tell me what these "suspicious files" are about and what I should do about them, I would really appreciate it.
    Attached Files Attached Files

  2. #2
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Greetings, E-Tramp.

    FWIW, .NET files come with the monthly security updates from Microsoft if
    you opt to do recommended Windows Updates.
    I presume the .NET material is harmless.
    Since I dont use any of their .NET services, these updates have the
    somewhat the same characteristic as spam in my situation.

  3. #3
    I have to admit I don't get this. Why would there even be .NET files in a Knoppix OS? I don't even know why I would have any files for .NET anything. I certainly haven't installed any .NET on my Knoppix system. Obviously this looks like a directory for a java program in root,usr, but, what does it go to and why? How can I track down what it is doing there?

    The following suspicious files and directories were found:
    /usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo /usr/lib/mono/xbuild-frameworks/.NETFramework /usr/lib/debug/.build-id /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings /usr/lib/eclipse/p2/org.eclipse.eq

  4. #4
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Quote Originally Posted by E-Tramp View Post
    The following suspicious files and directories were found:
    Leaving out the part that's NOT suspicious...

    Code:
    I've re-formatted the 'suspicious' part of your file in post #1:
    
    root@Microknoppix:/home/knoppix# sudo chkrootkit
    Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
    /usr/lib/jvm/.java-1.6.0-openjdk-i386.jinfo 
    /usr/lib/mono/xbuild-frameworks/.NETFramework
    /usr/lib/debug/.build-id 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data/.settings 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.lock
    /usr/lib/eclipse/dropins/jdt/plugins/org.eclipse.jdt.debug_3.7.1.dist/.api_description 
    /usr/lib/eclipse/dropins/sdk/plugins/org.eclipse.pde.build_3.7.0.dist/.api_description 
    /usr/lib/eclipse/dropins/sdk/plugins/org.eclipse.pde.build_3.7.0.dist/.options /usr/lib/eclipse/.eclipseproduct
    /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/28/1/.cp 
    /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/147/1/.cp 
    /usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.500.dist/.api_description 
    /usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.500.dist/.options 
    /usr/lib/eclipse/plugins/org.eclipse.core.runtime.compatibility.registry_3.5.0.dist/.api_description 
    /usr/lib/eclipse/plugins/org.eclipse.ui.workbench.compatibility_3.2.100.dist/.api_description 
    /usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/python2.6/dist-packages/PyQt4/uic/widget-plugins/.noinit
    /usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/pymodules/python2.6/.path 
    /usr/lib/pymodules/python2.7/.path /usr/lib/icedove/.autoreg /lib/init/rw/.mdadm
    /usr/lib/mono/xbuild-frameworks/.NETFramework 
    /usr/lib/debug/.build-id 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/.settings 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data 
    /usr/lib/eclipse/p2/org.eclipse.equinox.p2.engine/profileRegistry/PlatformProfile.profile/.data/.settings
    /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/28/1/.cp
    /usr/lib/eclipse/configuration/org.eclipse.osgi/bundles/147/1/.cp
    /lib/init/rw/.mdadm
    I don't know what it all means, but .NET is only part of what you've been told is suspicious.
    Everything seems to be in either /usr/lib or /lib.
    Start here, I guess.
    a. what is eclipse, anyway.
    b. what is .mdadm good for
    c. etc...
    Last edited by utu; 03-08-2014 at 03:42 AM.

  5. #5
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    And then there's this to consider:
    http://ubuntuforums.org/showthread.php?t=1544017

  6. #6
    knoppix@Microknoppix:~$ apropos eclipse
    eclipse (1) - extensible tool platform and Java IDE

    This is what the system says about eclipse, and it seems to go with the Java .Net platform that as far as I know doesn't exist.

    It would appear that the .mdadm file is part of the RAID software. I don't actually have a RAID drives either, but the motherboard is capable of supporting RAID.

    knoppix@Microknoppix:~$ apropos .mdadm
    mdadm.conf (5) - configuration for management of Software RAID with mdadm

    knoppix@Microknoppix:~$ apropos python2.7
    python2.7 (1) - an interpreted, interactive, object-oriented programmi...

    Above is all I can get with apropos on Python 2.7.

    Appearantly all of this has something to do with a .Net framework I don't think is even on my system. Lots of questions no answers!

  7. #7
    Quote Originally Posted by utu View Post
    And then there's this to consider:
    http://ubuntuforums.org/showthread.php?t=1544017
    This is a very good point, but, I still wish I knew why I am looking at .Net entries, as I thought that was a Windows operation.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


A-Tech 8GB DDR3 1600 PC3-12800 Laptop SODIMM 204-Pin Memory RAM PC3L DDR3L 1x 8G picture

A-Tech 8GB DDR3 1600 PC3-12800 Laptop SODIMM 204-Pin Memory RAM PC3L DDR3L 1x 8G

$13.99



HyperX FURY RAM DDR4 16GB 8GB 32GB 4GB 3200 2666 2400 2133 Desktop Memory DIMM picture

HyperX FURY RAM DDR4 16GB 8GB 32GB 4GB 3200 2666 2400 2133 Desktop Memory DIMM

$9.64



CRUCIAL DDR3L 8GB 16GB 32GB 1600 MHz PC3-12800 Laptop Memory RAM SODIMM 204-Pin picture

CRUCIAL DDR3L 8GB 16GB 32GB 1600 MHz PC3-12800 Laptop Memory RAM SODIMM 204-Pin

$14.35



A-Tech 8GB PC3-12800 Desktop DDR3 1600 MHz Non ECC 240-Pin DIMM Memory RAM 1x 8G picture

A-Tech 8GB PC3-12800 Desktop DDR3 1600 MHz Non ECC 240-Pin DIMM Memory RAM 1x 8G

$13.99



A-Tech 16GB 2 x 8GB PC3-12800 Laptop SODIMM DDR3 1600 Memory RAM PC3L 16G DDR3L picture

A-Tech 16GB 2 x 8GB PC3-12800 Laptop SODIMM DDR3 1600 Memory RAM PC3L 16G DDR3L

$27.98



Team T-FORCE VULCAN Z 16GB (2 x 8GB) 288-Pin PC RAM DDR4 3200 (PC4 25600) Intel picture

Team T-FORCE VULCAN Z 16GB (2 x 8GB) 288-Pin PC RAM DDR4 3200 (PC4 25600) Intel

$35.99



HMT84GL7AMR4C-RD 32GB DDR3 Server Memory RAM 14900L ECC REG 4Rx4 SK Hynix Cisco picture

HMT84GL7AMR4C-RD 32GB DDR3 Server Memory RAM 14900L ECC REG 4Rx4 SK Hynix Cisco

$13.99



HyperX FURY DDR4 4GB 8GB 16GB 32GB 3200 2400 2666 Desktop RAM Memory DIMM 288pin picture

HyperX FURY DDR4 4GB 8GB 16GB 32GB 3200 2400 2666 Desktop RAM Memory DIMM 288pin

$23.15



Hynix 64GB 4Rx4 PC4-2133P-L LRDIMM DDR4-17000 ECC Load Reduced Server Memory RAM picture

Hynix 64GB 4Rx4 PC4-2133P-L LRDIMM DDR4-17000 ECC Load Reduced Server Memory RAM

$64.99



Kingston HyperX FURY DDR3 8GB 16GB 32G 1600 1866 1333 Desktop Memory RAM DIMM picture

Kingston HyperX FURY DDR3 8GB 16GB 32G 1600 1866 1333 Desktop Memory RAM DIMM

$39.95