3

I couldn't understand the output of chkrootkit command:

$ chkrootkit -q -r /
/usr/lib/.libssl.so.10.hmac
/usr/lib/.libfipscheck.so.1.hmac
/usr/lib/firefox-3.6/.autoreg
/usr/lib/.libfipscheck.so.1.1.0.hmac
/usr/lib/.libssl.so.1.0.0d.hmac
/lib/.libcrypto.so.1.0.0d.hmac
/lib/.libgcrypt.so.11.hmac
/lib/.libcrypto.so.10.hmac
/proc/2980/fd/129: No such file or directory

What does this mean?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Dharmit
  • 4,220
  • 7
  • 28
  • 37

2 Answers2

3

The .*.hmac files are signature files for some cryptographic software, created by fipscheck. Their presence is not suspicious at all. They seem to be common false positives from chkrootkit on Fedora.

As for the firefox-3.6/.autoreg file, which is a normal part of Firefox, you're not the first to see chkrootkit complain about it.

The non-existent /proc/2980/fd/129 is probably because process 2980 closed the file (or even exited) just while chkrootkit was reaching it.

You would get more information without -q.

Chances are that these are false positives. On the other hand, an attacker aware of chkrootkit might deliberately plant her malware inside one of these known common false positives. On the gripping hand, running chkrootkit from within the system you're checking is pretty much useless: a well-written malware would hack into the kernel and arrange to make everything look normal to chkrootkit and other intrusion or malware detection tools.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • I found http://forums.fedoraforum.org/archive/index.php/t-243765.html and did `rpm -qf` to all those files mentioned in the output by chkrootkit. And they all belong to some or the other package. Thanks though. The links pointed were truly helpful. – Dharmit Apr 16 '11 at 17:46
  • @Dharmit: The files are legitimate, but their content might not be. Chkrootkit is warning you about their content. However, since these are common false positives, and chkrootkit would not find most genuine malware anyway, I wouldn't worry about it. – Gilles 'SO- stop being evil' Apr 16 '11 at 17:57
1

The "no such file" error simply means it expected to find something and couldn't. In this case there was a running system process, but when it went to check the proc entries relative to it they were not there. This could mean the process is cloaked and being bad, or it could just mean that it naturally stopped before it got around to being looked at.

The other files are files on your system that chkrootkit considers suspicious and should be looked into. [edit:] In this case they are mostly library files that start with a dot, but also have an extra extention. You lookup what these files are and find out where they came from.

Caleb
  • 69,278
  • 18
  • 196
  • 226
  • 1
    They're not library files, they're `.*.hmac`, which makes me think they're [signature files](http://en.wikipedia.org/wiki/HMAC), probably part of some intrusion detection package. – Gilles 'SO- stop being evil' Apr 16 '11 at 17:12
  • So what shall I do with those files? Shall I `rm -f` them? Or shall I use ClamAV? – Dharmit Apr 16 '11 at 17:27
  • First figure out what they are and where they came from. If as @Gilles suggests they came from an intrusion detection system (are you running one?) you don't want to mess that up by deleting it's data. First learn what they are and how they got there, then decide what to do with them. – Caleb Apr 16 '11 at 17:31
  • @Dharmit: First try `rpm -qf /usr/lib/.libssl.so.10.hmac`. @both: but anyway they're from [fipscheck](https://fedorahosted.org/fipscheck/), see my answer. – Gilles 'SO- stop being evil' Apr 16 '11 at 17:38