Where can I get help with chkrootkit & rkhunter?

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Wed Jan 17, 2018 10:31 pm

Where can I get help with chkrootkit & rkhunter?

Thanks!

User avatar
jimallyn
Level 18
Level 18
Posts: 8945
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by jimallyn » Wed Jan 17, 2018 11:17 pm

Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Thu Jan 18, 2018 12:24 am

Yes, long ago. I searched it for the strings "chkrootkit" & "rkhunter" and found nothing. Do you have any further hints?

Warm Regards,

Mark.

User avatar
Spearmint2
Level 16
Level 16
Posts: 6874
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by Spearmint2 » Thu Jan 18, 2018 2:18 am

I would advise to avoid them. Too many false positives in my opinion to make them useful anymore.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

User avatar
jimallyn
Level 18
Level 18
Posts: 8945
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by jimallyn » Thu Jan 18, 2018 4:37 am

markfilipak wrote:I searched it for the strings "chkrootkit" & "rkhunter" and found nothing. Do you have any further hints?
The word "rootkit does appear in the article 7 times. As Spearmint2 said, there are too many false positives. People have reported on the forums a number of times that they have been infected with a rootkit, but upon telling the smart people here (that's not me) what they found, they say, oh yeah, that's a known false positive. So I don't think I have ever seen an instance where somebody found an actual rootkit on their computer. If it were me, I probably wouldn't bother running chkrootkit or rkhunter, but if I did, I would probably do a Google search for whatever it turns up. It's likely that somebody will know whether it's a false positive or not, and if it's a legitimate threat, somebody will know what to do about it.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Thu Jan 18, 2018 3:56 pm

jimallyn wrote:
markfilipak wrote:I searched it for the strings "chkrootkit" & "rkhunter" and found nothing. Do you have any further hints?
The word "rootkit does appear in the article 7 times.
-snip-
Well, I was hoping to communicate with whomever wrote them. I assume they're not worthless to the Mint maintainers. Otherwise, how did they get into Mint? And why is it listed in 'synaptic'? Assuming that they're not worthless, then how can I understand the cryptic report? Is there a facility for investigating utilities that are packaged with Mint? Sorry, but even after years of using Mint, I'm still a newbie.

Warm Regards,
Mark.

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: Where can I get help with chkrootkit & rkhunter?

Post by MintBean » Thu Jan 18, 2018 4:20 pm

The vast bulk of software in the repository comes via Ubuntu repositories upstream, and that in turn comes largely from Debian repositories, so it in no way indicates that the Linux Mint team promote or endorse any specific piece of software. Honestly I doubt whoever wrote the software would be interested in helping out as an unpaid malware analyst. They would be swamped.

markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Thu Jan 18, 2018 6:39 pm

MintBean wrote:The vast bulk of software in the repository comes via Ubuntu repositories upstream, and that in turn comes largely from Debian repositories, so it in no way indicates that the Linux Mint team promote or endorse any specific piece of software. Honestly I doubt whoever wrote the software would be interested in helping out as an unpaid malware analyst. They would be swamped.
Howdy. You are assuming that I want to analyze malware. Not so. Your point about repositories is well taken, though. Thanks.

User avatar
jimallyn
Level 18
Level 18
Posts: 8945
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by jimallyn » Thu Jan 18, 2018 8:54 pm

Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

User avatar
BG405
Level 7
Level 7
Posts: 1900
Joined: Fri Mar 11, 2016 3:09 pm
Location: England

Re: Where can I get help with chkrootkit & rkhunter?

Post by BG405 » Mon Jan 22, 2018 2:53 pm

According to your signature, you appear to be running LM18 as a VB guest on a Win7 host. Is this correct?
Dell Inspiron 1525 - LM17.3 CE 64-------------------Lenovo T440 8GB - Manjaro KDE with Mint VMs
Toshiba NB250 - Manjaro KDE------------------------K7S5A AMD 1.2GHz - LM17.3 Xfce 32 & WinXP-Pro
Acer Aspire E11 ES1-111M - LM18.2 KDE 64 ----Dell PII 350 64MB - Puppy 4.3 & Win98-SE

markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Mon Jan 22, 2018 4:13 pm

BG405 wrote:According to your signature, you appear to be running LM18 as a VB guest on a Win7 host. Is this correct?
Yes, that's correct.

Windows is completely blocked, inbound & outbound, by Windows firewall rules. Windows can't even update.

Only MInt can get to the Internet. It connects directly via a virtual driver to the WiFi hardware, completely bypassing Windows.

===== OPTIONAL READING =====
Until about 2 years ago, Windows firewall was a partial sham. It didn't block outbound at all, though it pretended to. Because it didn't block outbound, I contracted a Windows rootkit named Bagle that was fetched by a Trojan horse that, itself, loaded as a drive-by -- javascript appended to the end of a page. Since the prior Windows firewall did not block outbound, the main rootkit fetch by the Trojan succeeded. The Trojan was a javascript that repeatedly created 23-byte array elements until the array overran the next higher memory segment. The 23-byte machine code program was carefully constructed so that it could be entered anywhere in its scope. When it executed -- by chance program execution "from above" -- it went to a web site in Ukraine and fetched the rootkit. The rootkit was a keystroke recorder. It was quite large. It held the URLs of thousands of banks. I learned how it all fit together when I disassembled the Trojan, the rootkit and the Bagle rootkit installer virus that the Trojan fetched. (BTW, I corresponded with one of Bagles' victims. He lost $160-thousand into a Russian bank via a Swiss bank. Interpol could do nothing. The guy lost his small business. He, like most people, mistakenly thought that the FDIC protected his bank account. He never recovered a cent. The Americans who lost over $1-billion in on-line theft during 2014 never recovered a cent. It's estimated that Bagle operated for 6 days and netted $60-million.)
Last edited by markfilipak on Mon Jan 22, 2018 4:25 pm, edited 1 time in total.

User avatar
chrisuk
Level 5
Level 5
Posts: 593
Joined: Thu Jun 12, 2008 6:16 am

Re: Where can I get help with chkrootkit & rkhunter?

Post by chrisuk » Mon Jan 22, 2018 4:23 pm

This might help, it was done by @Habitual, who I don't think is here anymore:
Attachments
rkhunter.pdf
(53.95 KiB) Downloaded 20 times
Chris

Manjaro MATE - MX Linux - LMDE MATE

markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Mon Jan 22, 2018 4:36 pm

chrisuk wrote:This might help, it was done by @Habitual, who I don't think is here anymore:
I already installed 'rkhinter' via 'synaptic'. Does installation from source convey an advantage?

User avatar
Spearmint2
Level 16
Level 16
Posts: 6874
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by Spearmint2 » Fri Jan 26, 2018 8:47 am

How do you expect a virtual system to check for a root kit? It's not bare metal install.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

markfilipak
Level 5
Level 5
Posts: 915
Joined: Sun Mar 10, 2013 8:08 pm
Location: Ohio (formerly California), USA

Re: Where can I get help with chkrootkit & rkhunter?

Post by markfilipak » Fri Jan 26, 2018 10:30 am

Spearmint2 wrote:How do you expect a virtual system to check for a root kit?
How would a guest-OS check for a root kit? I presume the same way it ordinarily checks for a root kit. It doesn't know it's a virtual machine guest.
It's not bare metal install.
VirtualBox must be virtualizing the memory controller hardware (chip) and the BIOS/UEFI hardware/firmware (NV-RAM chip), eh? Well, then, a root kit is possible, isn't it?

Post Reply

Return to “Newbie Questions”