| View previous topic :: View next topic |
| Author |
Message |
Robert S
Guru
Joined: 15 Aug 2004
Posts: 463
Location: Canberra Australia
|
 Posted: Sat Aug 29, 2009 9:57 pm Post subject: chkrootkit outputs huge amounts of gobbledegook |
 |
|
I have chkrootkit running as a nightly cron job and I use diff to compare the current with the previous output. Recently I've been getting vast amounts of output - mainly related to phpmyadmin code (see below). Is there any way that I can stop this from occurring?
| Quote: | < PMA_token |s:32:"79752e7cb6d6f97997d8e398153ede40";PMA_Config|O:10:"PMA_Config":10:{s:14:"default_source";s:30:"./libraries/config.default.php";s:8:"settings";a:170:{s:14:"PmaAbsoluteUri";s:27:"http://mypc/phpmyadmin/";s:28:"PmaNoRelation_DisableWarning";b:0;s:21:"SuhosinDisableWarning";b:0;s:22:"AllowThirdPartyFraming";b:0;s:15:"blowfish_secret";s:0:"";s:13:
"ServerDefault";i:1;s:9:"MaxDbList";i:100;s:12:"MaxTableList";i:250;s:27:"MaxCharactersInDisplayedSQL";i:1000;s:6:"OBGzip";b:0;s:21:"PersistentConnections";
b:0;s:8:"ForceSSL";b:0;s:13:"ExecTimeLimit";i:300;s:11:"MemoryLimit";i:0;s:16:"SkipLockedTables";b:0;s:7:"ShowSQL";b:1;s:21:"AllowUserDropDatabase";
b:0;s:7:"Confirm";b:1;s:17:"LoginCookieRecall";b:1;s:19:"LoginCookieValidity";i:1800;s:16:"LoginCookieStore";i:0;s:20:"LoginCookieDeleteAll";b:1;s:11:
"UseDbSearch";b:1;s:23:"IgnoreMultiSubmitErrors";b:0;s:18:"VerboseMultiSubmit";b:1;s:20:"AllowArbitraryServer";b:0;s:14:"LeftFrameLight";b:1;s:15:
"LeftFrameDBTree";b:1;s:20:"LeftFrameDBSeparator";s:1:"_";s:23:"LeftFrameTableSeparator";s:2:"__";s:19:"LeftFrameTableLevel";s:1:"1";s:11:"ShowTooltip";
b:1;s:18:"ShowTooltipAliasDB";b:0;s:18:"ShowTooltipAliasTB";b:0;s:15:"LeftDisplayLogo";b:1;s:12:"LeftLogoLink";s:8:"main.php";s:18:"LeftLogoLinkWindow"
;s:4:"main";s:18:"LeftDisplayServers";b:0;s:18:"DisplayServersList";b:0;s:20:"DisplayDatabasesList";s:4:"auto";s:9:"ShowStats";b:1;s:11:"ShowPhpInfo";b:
0;s:14:"ShowServerInfo";b:1;s:15:"ShowChgPassword";b:0;s:12:"ShowCreateDb";b:1;s:13:"SuggestDBName";b:1;s:8:"ShowBlob";b:0;s:19:
"NavigationBarIconic";s:4:"both";s:7:"ShowAll";b:0;s:7:"MaxRows";i:30;s:5:"Order";s:3:"ASC";s:13:"ProtectBinary";s:4:"blob";s:18:"ShowFunctionFields";b:
1;s:11:"CharEditing";s:5:"input";s:10:"InsertRows";i:2;s:23:"ForeignKeyDropdownOrder";a:2:{i:0;s:10:"content-id";i:1;s:10:"id-content";}s:18:"ForeignKeyMaxLimit";i:100;s:7:"ZipDump";b:1;s:8:"GZipDump";b:1;s:8:"BZipDump";b:1;s:13:"CompressOnFly";b:1;s:9:"LightTabs";b:0;s:16:
"PropertiesIconic";b:1;s:20:"PropertiesNumColumns";i:1;s:16:"D!
efaultTabServer";s:8:"main.php";s:18:"DefaultTabDatabase";s:16:"db_structure.php";s:15:"DefaultTabTable";s:17:"tbl_structure.php";s:6:"Export";a:78:{s:6:"format";s:3:"sql";s:11:"compression";s:4:"none";s:6:"asfile";b:0;s:7:"charset";s:0:"";s:8:"onserver";b:0;s:18:"onserver_overwrite";b:0;s:22:
"remember_file_template";b:1;s:19:"file_template_table";s:9:"__TABLE__";s:22:"file_template_database";s:6:"__DB__";s:20:"file_template_server";s:10:
"__SERVER__";s:11:"ods_columns";b:0;s:8:"ods_null";s:4:"NULL";s:13:"odt_structure";b:1;s:8:"odt_data";b:1;s:11:"odt_columns";b:1;s:12:"odt_relation";
b:1;s:12:"odt_comments";b:1;s:8:"odt_mime";b:1;s:8:"odt_null";s:4:"NULL";s:17:"htmlexcel_columns";b:0;s:14:"htmlexcel_null";s:4:"NULL";s:18:
"htmlword_structure";b:1;s:13:"htmlword_data";b:1;s:16:"htmlword_columns";b:0;s:13:"htmlword_null";s:4:"NULL";s:11:"xls_columns";b:0;s:8:"xls_null";
s:4:"NULL";s:11:"csv_columns";b:0;s:8:"csv_null";s:4:"NULL";s:13:"csv_separator";s:1:";";s:12:"csv_enclosed";s:6:""";s:11:"csv_escaped";s:1:"\";s:
14:"csv_terminated";s:4:"AUTO";s:13:"excel_columns";b:0;s:10:"excel_null";s:4:"NULL";s:13:"excel_edition";s:3:"win";s:15:"latex_structure";b:1;s:10:
"latex_data";b:1;s:13:"latex_columns";b:1;s:14:"latex_relation";b:1;s:14:"latex_comments";b:1;s:10:"latex_mime";b:1;s:10:"latex_null";s:13:"\textit{NULL}";s:
13:"latex_caption";b:1;s:23:"latex_structure_caption";s:17:"strLatexStructure";s:33:"latex_structure_continued_caption";s:35:"strLatexStructure strLatexContinued";s:18:"latex_data_caption";s:15:"strLatexContent";s:28:"latex_data_continued_caption";s:33:"strLatexContent strLatexContinued";s:16:"latex_data_label";s:18:"tab:__TABLE__-data";s:21:"latex_structure_label";s:23:"tab:__TABLE__-structure";s:13:"sql_structure";b:1;s:8:"sql_data";b:1;s:17:"sql_compatibility";s:4:"NONE";s:14:"sql_disable_fk";b:0;s:19:"sql_use_transaction";b:0;s:17:
"sql_drop_database";b:0;s:14:"sql_drop_table";b:0;s:17:"sql_if_not_exists";b:0;s:22:"sql_procedure_function";b:0;s:18:"sql_auto_increment";b:1;s:14:
"sql_backquotes";b:1;s:!
9:"sql_d
ates";b:0;s:12:"sql_relation";b:0;s:11:"sql_columns";b:0;s:11:"sql_delayed";b:0;s:10:"sql_ignore";b:0;s:16:"sql_hex_for_blob";b:1;s:8:"sql_type";s:6:
"insert";s:12:"sql_extended";b:0;s:18:"sql_max_query_size";i:50000;s:12:"sql_comments";b:0;s:8:"sql_mime";b:0;s:18:"sql_header_comment";s:0:"";s:13:
"pdf_structure";b:0;s:8:"pdf_data";b:1;s:16:"pdf_report_title";s:0:"";s:10:"sql_compat";s:4:"NONE";s:18:"sql_hex_for_binary";b:1;}s:6:"Import";a:17:{s:6:"format";s:3:"sql";s:15:"allow_interrupt";b:1;s:12:"skip_queries";s:1:"0";s:17:"sql_compatibility";s:4:"NONE";s:11:"csv_replace";b:0;s:14:
"csv_terminated";s:1:";";s:12:"csv_enclosed";s:1:""";s:11:"csv_escaped";s:1:"\";s:12:"csv_new_line";s:4:"auto";s:11:"csv_columns";s:0:"";s:11:
"ldi_replace";b:0;s:14:"ldi_terminated";s:1:";";s:12:"ldi_enclosed";s:1:""";s:11:"ldi_escaped";s:1:"\";s:12:"ldi_new_line";s:4:"auto";s:11:"ldi_columns";s:0:"";s:
16:"ldi_local_option";s:4:"auto";}s:15:"MySQLManualBase";s:33:"http://dev.mysql.com/doc/mysql/en";s:15:"MySQLManualType";s:10:"searchable";s:12:"PDFPageSizes";a:5: |
Last edited by Robert S on Sat Sep 26, 2009 9:51 am; edited 1 time in total |
|
| Back to top |
|
 |
phoenixp
n00b
Joined: 11 Sep 2009
Posts: 22
|
| Posted: Fri Sep 18, 2009 4:19 pm Post subject: |
|
|
| That doesn't look like any chkrootkit output I've ever seen. How sure are you that's what's producing it? |
|
| Back to top |
|
|
Robert S
Guru
Joined: 15 Aug 2004
Posts: 463
Location: Canberra Australia
|
| Posted: Sat Sep 26, 2009 3:53 am Post subject: |
|
|
| I have chkrootkit running in a script that produces text when the output of chkrootkit differs from the previous run. So it is produced by chkrootkit. |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Sat Sep 26, 2009 8:15 am Post subject: |
|
|
I have a pretty similar output. I think it has begun after an update, but I'm not sure.
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
chrbecke
Guru
Joined: 12 Jul 2004
Posts: 598
Location: Berlin - Germany
|
| Posted: Sat Sep 26, 2009 8:39 am Post subject: |
|
|
| chkrootkit scans /tmp and /var/tmp for files containing the string "php" in the first line. That matches the files php stores session data in, that's where the funny looking output comes from. |
|
| Back to top |
|
|
gerard27
Advocate
Joined: 04 Jan 2004
Posts: 2377
Location: Netherlands
|
| Posted: Sat Sep 26, 2009 11:53 am Post subject: |
|
|
I use chkrootkit now and then from the commandline.
The newest is from jan 10,so I don't think it has anything to do with an upgrade.
Gerard.
_________________
To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download |
|
| Back to top |
|
|
Anarcho
Advocate
Joined: 06 Jun 2004
Posts: 2970
Location: Germany
|
| Posted: Sat Sep 26, 2009 12:28 pm Post subject: |
|
|
| chrbecke wrote: | | chkrootkit scans /tmp and /var/tmp for files containing the string "php" in the first line. That matches the files php stores session data in, that's where the funny looking output comes from. |
Yes, I think you are right. My output contains infos about ebuilds and I found eix temp files.
Thanks for this clarification!
_________________
...it's only Rock'n'Roll, but I like it! |
|
| Back to top |
|
|
|
Networking & Security
