Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?

Posted by Danijel on Server Fault See other posts from Server Fault or by Danijel
Published on 2012-10-08T16:58:08Z Indexed on 2012/10/08 21:39 UTC
Read the original article Hit count: 257

Filed under:
|

I just cleaned up my hacked CentOS server (due to not updating since versino 5.3). But still, "chkrootkit" says this:

Possible t0rn v8 \(or variation\) rootkit installed

/usr/lib/.libfipscheck.so.1.1.0.hmac 
/usr/lib/.libgcrypt.so.11.hmac 
/usr/lib/.libfipscheck.so.1.hmac 
/lib/.libcrypto.so.0.9.8e.hmac 
/lib/.libssl.so.0.9.8e.hmac 
/lib/.libssl.so.6.hmac 
/lib/.libcrypto.so.6.hmac

/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Text/Iconv/.packlist 
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/HTML-Tree/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Font/AFM/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/MLDBM/Sync/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/MLDBM/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/FreezeThaw/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache/ASP/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/HTML-Format/.packlist 

/usr/lib/gtk-2.0/immodules/.relocation-tag 
/usr/lib/python2.4/plat-linux2/.relocation-tag 
/usr/lib/python2.4/distutils/.relocation-tag 
/usr/lib/python2.4/config/.relocation-tag 

Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?

Are these realy still infected?

© Server Fault or respective owner

Related posts about security

Related posts about rootkit