Chkrootkit发现很多可疑文件和目录,并且/sbin/init已感染

tag-icon tag-icon linux security chkrootkit
Chkrootkit发现很多可疑文件和目录,并且/sbin/init已感染

我刚刚chkrootkit在 Fedora 20 x86_64 上运行。以下是一些可疑的结果。有人知道这些是否是误报吗?我的系统是否受到损害?

以下是可疑文件和目录:

Searching for suspicious files and dirs, it may take a while... 

/usr/lib/.libgcrypt.so.11.hmac /usr/lib/python2.7/site-packages/martian
/testswithbogusmodules/.bogussubpackage /usr/lib/python2.7/site-packages/fail2ban
/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python2.7/site-
packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib
/python2.7/site-packages/fail2ban/tests/files/config/apache-auth/noentry
/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files/config/apache-
auth/basic/file/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files
/config/apache-auth/basic/file/.htpasswd /usr/lib/python2.7/site-packages/fail2ban
/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python2.7
/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner
/.htpasswd /usr/lib/python2.7/site-packages/fail2ban/tests/files/config/apache-
auth/digest_anon/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files
/config/apache-auth/digest_anon/.htpasswd /usr/lib/python2.7/site-packages
/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib
/python2.7/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm
/.htpasswd /usr/lib/python2.7/site-packages/fail2ban/tests/files/config/apache-
auth/digest/.htaccess /usr/lib/python2.7/site-packages/fail2ban/tests/files/config
/apache-auth/digest/.htpasswd /usr/lib/python2.7/site-packages/pylons/docs/en
/.gitignore /usr/lib/python2.7/site-packages/pylons/templates/default_project
/+package+/templates/.distutils_placeholder /usr/lib/python2.7/site-packages
/pylons/templates/minimal_project/+package+/templates/.distutils_placeholder
 /usr/lib/.libssl.so.1.0.1e.hmac /usr/lib/.libcrypto.so.1.0.1e.hmac /usr/lib
/.libssl.so.10.hmac /usr/lib/debug/.build-id /usr/lib/debug/usr/.dwz /usr/lib
/debug/.dwz /usr/lib/mono/xbuild-frameworks/.NETFramework /usr/lib
/.libcrypto.so.10.hmac

    /usr/lib/python2.7/site-packages/martian/tests/withbogusmodules
/.bogussubpackage /usr/lib/debug/.build-id /usr/lib/debug/.dwz /usr/lib
/mono/xbuild-frameworks/.NETFramework

然后是这样的:

Searching for Suckit rootkit... Warning: /sbin/init INFECTED

最后:

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         1631 tty1   /usr/bin/X :0 vt1 -background none -nolisten tcp -seat seat0 -auth /var/run/kdm/A:0-EiPPra
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

答案1

据报道,chkrootkit 认为在干净的系统上发现了 Suckit,从而出现误报。这Fedora 错误报告表明从 Fedora 20 开始 chkrootkit 仍然存在问题。

如果没有人登录(如果显示 GUI 登录提示),X 服务器没有 utmp 条目是正常的。

因此,这些结果并不表明您的系统已被感染。当然,这并不意味着您的系统是干净的:精心设计的 rootkit 根据定义是无法检测到的。

相关内容