Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?
Posted
by
Danijel
on Server Fault
See other posts from Server Fault
or by Danijel
Published on 2012-10-08T16:58:08Z
Indexed on
2012/10/08
21:39 UTC
Read the original article
Hit count: 257
I just cleaned up my hacked CentOS server (due to not updating since versino 5.3). But still, "chkrootkit" says this:
Possible t0rn v8 \(or variation\) rootkit installed
/usr/lib/.libfipscheck.so.1.1.0.hmac
/usr/lib/.libgcrypt.so.11.hmac
/usr/lib/.libfipscheck.so.1.hmac
/lib/.libcrypto.so.0.9.8e.hmac
/lib/.libssl.so.0.9.8e.hmac
/lib/.libssl.so.6.hmac
/lib/.libcrypto.so.6.hmac
/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Text/Iconv/.packlist
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/HTML-Tree/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Font/AFM/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/MLDBM/Sync/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/MLDBM/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/FreezeThaw/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache/ASP/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/HTML-Format/.packlist
/usr/lib/gtk-2.0/immodules/.relocation-tag
/usr/lib/python2.4/plat-linux2/.relocation-tag
/usr/lib/python2.4/distutils/.relocation-tag
/usr/lib/python2.4/config/.relocation-tag
Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?
Are these realy still infected?
© Server Fault or respective owner