Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

filtering chkrootkit's false positives
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tomek32
Tux's lil' helper
Tux's lil' helper


Joined: 30 May 2004
Posts: 139
PostPosted: Sun May 15, 2005 1:13 pm    Post subject: filtering chkrootkit's false positives Reply with quote
I'm trying to figure how to automatically filter through the false positive reports from chkrookit.

Here's the output from all the chkrootkit tools:
Code:
# chkrootkit -q
/usr/lib/nfs/sm/.keep /usr/lib/nfs/sm.bak/.keep /usr/lib/.keep /usr/lib/perl5/5.8.5/i686-linux/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/AppConfig/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Date/Manip/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/CGI/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Chart/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Time/Local/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/YAML/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/File/Spec/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/File/Temp/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/GD/Graph/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/GD/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/GD/Text/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/IO/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/IO/String/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/PatchReader/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Storable/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Template/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Test/Harness/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Test/Simple/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Text/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/TimeDate/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/perl-ldap/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i686-linux/auto/Archive/Tar/.packlist /usr/lib/locale/ru_RU/LC_MESSAGES/.keep /usr/lib/php/php/.registry /usr/lib/php/php/.lock /usr/lib/php/php/.filemap /usr/lib/ccache/bin/.keep /lib/.keep /lib/dev-state/.keep
/usr/lib/php/php/.registry

# ifpromisc
eth0: not promisc and no PF_PACKET sockets

# chklastlog

# chkwtmp

# chkproc -v
PID  2821(/proc/2821): not in readdir output
PID  2821: not in ps output
PID  2822(/proc/2822): not in readdir output
PID  2822: not in ps output
PID  2823(/proc/2823): not in readdir output
PID  2823: not in ps output
PID  2824(/proc/2824): not in readdir output
PID  2824: not in ps output
PID  2825(/proc/2825): not in readdir output
PID  2825: not in ps output
PID  2826(/proc/2826): not in readdir output
PID  2826: not in ps output
PID  2827(/proc/2827): not in readdir output
PID  2827: not in ps output
PID  2828(/proc/2828): not in readdir output
PID  2828: not in ps output
PID  2829(/proc/2829): not in readdir output
PID  2829: not in ps output
PID  2830(/proc/2830): not in readdir output
PID  2830: not in ps output
PID  2831(/proc/2831): not in readdir output
PID  2831: not in ps output
PID  2832(/proc/2832): not in readdir output
PID  2832: not in ps output
PID  2833(/proc/2833): not in readdir output
PID  2833: not in ps output
PID  2834(/proc/2834): not in readdir output
PID  2834: not in ps output
PID  2835(/proc/2835): not in readdir output
PID  2835: not in ps output
PID  2836(/proc/2836): not in readdir output
PID  2836: not in ps output
PID  2837(/proc/2837): not in readdir output
PID  2837: not in ps output
PID  2838(/proc/2838): not in readdir output
PID  2838: not in ps output
PID  2839(/proc/2839): not in readdir output
PID  2839: not in ps output
PID  2840(/proc/2840): not in readdir output
PID  2840: not in ps output
PID  2841(/proc/2841): not in readdir output
PID  2841: not in ps output
PID  2842(/proc/2842): not in readdir output
PID  2842: not in ps output
PID  2843(/proc/2843): not in readdir output
PID  2843: not in ps output
PID  2844(/proc/2844): not in readdir output
PID  2844: not in ps output
PID  2845(/proc/2845): not in readdir output
PID  2845: not in ps output
PID  2846(/proc/2846): not in readdir output
PID  2846: not in ps output
PID  2847(/proc/2847): not in readdir output
PID  2847: not in ps output
PID  2848(/proc/2848): not in readdir output
PID  2848: not in ps output
PID  2849(/proc/2849): not in readdir output
PID  2849: not in ps output
PID  2850(/proc/2850): not in readdir output
PID  2850: not in ps output
PID  2851(/proc/2851): not in readdir output
PID  2851: not in ps output
PID  2852(/proc/2852): not in readdir output
PID  2852: not in ps output
PID  2853(/proc/2853): not in readdir output
PID  2853: not in ps output
PID  2854(/proc/2854): not in readdir output
PID  2854: not in ps output
PID  2855(/proc/2855): not in readdir output
PID  2855: not in ps output
PID  2856(/proc/2856): not in readdir output
PID  2856: not in ps output
PID  2857(/proc/2857): not in readdir output
PID  2857: not in ps output
PID  2858(/proc/2858): not in readdir output
PID  2858: not in ps output
PID  2859(/proc/2859): not in readdir output
PID  2859: not in ps output
PID  2860(/proc/2860): not in readdir output
PID  2860: not in ps output
PID  2861(/proc/2861): not in readdir output
PID  2861: not in ps output
PID  2862(/proc/2862): not in readdir output
PID  2862: not in ps output
PID  2863(/proc/2863): not in readdir output
PID  2863: not in ps output
PID  2864(/proc/2864): not in readdir output
PID  2864: not in ps output
PID  2865(/proc/2865): not in readdir output
PID  2865: not in ps output
PID  2866(/proc/2866): not in readdir output
PID  2866: not in ps output
PID  2867(/proc/2867): not in readdir output
PID  2867: not in ps output
PID  2868(/proc/2868): not in readdir output
PID  2868: not in ps output
PID  2869(/proc/2869): not in readdir output
PID  2869: not in ps output
PID  2870(/proc/2870): not in readdir output
PID  2870: not in ps output
PID  2871(/proc/2871): not in readdir output
PID  2871: not in ps output
PID  2872(/proc/2872): not in readdir output
PID  2872: not in ps output
PID  9745(/proc/9745): not in readdir output
PID  9745: not in ps output
You have    53 process hidden for readdir command
You have    53 process hidden for ps command

# chkdirs /
53     /proc
-1      /proc/22669
-1      /proc/22619
-1      /proc/21829
-1      /proc/21828
-1      /proc/21814
-1      /proc/21813
-1      /proc/21808
-1      /proc/21803
-1      /proc/17975
-1      /proc/17974
-1      /proc/17938
-1      /proc/17937
-1      /proc/17932
-1      /proc/16457
-1      /proc/16448
-1      /proc/16370
-1      /proc/11988
-1      /proc/2819
-26     /proc/2819/task
-1      /proc/2817
-26     /proc/2817/task
-1      /proc/2815
-1      /proc/5525
-1      /proc/5523
-1      /proc/4581
-1      /proc/4580
-1      /proc/4579
-1      /proc/4578
-1      /proc/4573
-1      /proc/10821
-1      /proc/9744
-1      /proc/9744/task
-1      /proc/9704
-1      /proc/7462
-1      /proc/7461
-1      /proc/7460
-1      /proc/7459
-1      /proc/7458
-1      /proc/7457
-1      /proc/7442
-1      /proc/6230
-1      /proc/6215
-1      /proc/6212
-1      /proc/6160
-1      /proc/6128
-1      /proc/6109
-1      /proc/6018
-1      /proc/6017
-1      /proc/6016
-1      /proc/6013
-1      /proc/6012
-1      /proc/6011
-1      /proc/6010
-1      /proc/6009
-1      /proc/6008
-1      /proc/6007
-1      /proc/6006
-1      /proc/5998
-1      /proc/5981
-1      /proc/5324
-1      /proc/5216
-1      /proc/5042
-1      /proc/4301
-1      /proc/4300
-1      /proc/4299
-1      /proc/4287
-1      /proc/119
-1      /proc/12
-1      /proc/11
-1      /proc/9
-1      /proc/10
-1      /proc/6
-1      /proc/5
-1      /proc/4
-1      /proc/3
-1      /proc/2
-1      /proc/1


Then, I setup my daily cron job for chkrootkit like this so far:
Code:
#!/bin/sh

exec /usr/sbin/chkrootkit -q | xargs -n1 | /bin/egrep -v ".keep|.packlist"
exec /usr/sbin/ifpromisc | /bin/egrep -v "eth0: not promisc and no PF_PACKET sockets"
exec /usr/sbin/chklastlog
exec /usr/sbin/chkwtmp
exec /usr/sbin/chkproc -v
exec /usr/sbin/chkdirs /


First, is it safe to just filter the .keep and .packlist files? Second, how do I know the entries from chkproc and chkdirs are false positives?
Back to top
View user's profile Send private message
simu
n00b
n00b


Joined: 28 May 2005
Posts: 1
PostPosted: Sat May 28, 2005 8:46 pm    Post subject: chkrootkit mail script Reply with quote
i have some false positives too. i just turn off these tests (although that could be very stupid). here is a little script i've written today, it does email if chkrootkit finds something:

Code:

#!/bin/bash

# viruscheck 0.1, simon schwab
# this script runs chkrootkit and emails a possible incident.

RECIPENT=root@yavin4.ch
LOGFILE=/var/log/viruscheck
TESTS="asp bindshell lkm rexedcs w55808 wted scalper slapper
       z2 chkutmp amd basename biff chfn chsh cron date du dirname echo
       egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf
       identd init killall ldsopreload login ls lsof mail mingetty netstat
       named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin
       sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute
       vdir w write"
# i disable the tests aliens and sniffer because of false positives.

# runs chkrootkit and directs output to a logfile
/usr/sbin/chkrootkit -q $TESTS > $LOGFILE

# if logfile is not empty email root
if [ $( wc -l $LOGFILE | awk '{ print $1 }' ) -gt 0 ]; then
   cat $LOGFILE | mutt $RECIPENT -s "$HOSTNAME: chkrootkit warning"
fi
Back to top
View user's profile Send private message
ruurd
n00b
n00b


Joined: 07 Jan 2005
Posts: 8
PostPosted: Sat Jun 04, 2005 9:06 am    Post subject: Reply with quote
I just solved it by only ignoring those lines that I think are harmless: (in my /etc/cron.weekly/chkrootkit)

Code:

#!/bin/sh
#
# uncomment this to make it work
#

exec /usr/sbin/chkrootkit -q | awk '
{
        if ($0 !~ /^eth0.*PF_PACKET\(\/usr\/sbin\/dhcpd\)$/) {
                for (i = 1; i <= NF; i++) {
                        if ($i !~ /perl5.*\.packlist(e)?$/ &&
                                $i !~ /php.*\.(registry|lock|filemap)$/ &&
                                $i !~ /\.keep$/)
                        {
                                print $i;
                        }
                }
        }
}'
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy