Hi all,
While doing my routine patches and scans, "chkrootkit reported the following:
(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)
I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem? If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?
thanks, Bill.
On Thu, 23 Jul 2015 14:56:00 -0400, William wrote:
Hi all,
While doing my routine patches and scans, "chkrootkit reported the following:
(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)
I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem?
By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.
At http://bugz.fedoraproject.org/chkrootkit somebody has looked into the l2cap warning before.
If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?
Good afternoon,
On 07/23/2015 02:56 PM, William wrote:
Hi all,
While doing my routine patches and scans, "chkrootkit reported the following:
(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. (*** snip ***) warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)
I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem? If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?
thanks, Bill.
I realized a lot later that I also should have mentioned that the "chkrootkit" run was shortly after doing "yum update", "prelink -a", and rebooting. I don't know if that's significant.
By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.
??? I looked at that long sh script. It didn't help. I don't see how knowing that chkrootkit uses "netstat" to check a port tells me whether or not I have a real problem. I don't understand what it means that a port is infected. I am a home user stuck doing his own sysadmin and security with no training or experience in these things.
Do I have a security problem? If yes, how do I fix it?
At http://bugz.fedoraproject.org/chkrootkit somebody has looked into the l2cap warning before.
Thank-you.
thanks, Bill.
On 07/28/2015 10:55 AM, William wrote:
I realized a lot later that I also should have mentioned that the "chkrootkit" run was shortly after doing "yum update", "prelink -a", and rebooting. I don't know if that's significant.
I'm not sure why you're using prelink, but if you're worried about security you might consider adding -r to the command.
On Tue, 28 Jul 2015 13:55:47 -0400, William wrote:
By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.
??? I looked at that long sh script. It didn't help. I don't see how knowing that chkrootkit uses "netstat" to check a port tells me whether or not I have a real problem. I don't understand what it means that a port is infected. I am a home user stuck doing his own sysadmin and security with no training or experience in these things.
Then I suggest that chkrootkit is not the right tool for you. You may ask why not? Because it's far from bullet-proof. Some of the checks it implements are no longer relevant these days. There are more modern rootkits that are not covered by chkrootkit. There is no database that would receive online updates to cover more known rootkits or vulnerabilities. It only tries to check for a few modifications it is aware of. Other checks are not safe but only very rudimentary. Even normal processes running on a normal installation can confuse it. For a very long time, it considered the main systemd executable as infected, and nobody did anything about that. Everywhere you could meet Fedora users asking whether Fedora's official ISO images would be infected. There's a README file included in the Fedora package, which comments on the problem of "false positives". It's the user's responsibility to verify what chkrootkit reports, because it's not safe to rely on it. Running chkrootkit gives a false sense of security. If it doesn't find anything (and rkhunter not either), you could still be affected by something it cannot find (even an only slightly modified rootkit) or by some other vulnerability it doesn't even check for.
There are multiple layers of security. As a home user, better focus on tools that protect your machine from intruders. Such as a firewall, SELinux, security relevant updates, not running things as superuser root, and deciding carefully what to install or execute on your machine.
On 07/28/2015 01:55 PM, William wrote:
Good afternoon,
On 07/23/2015 02:56 PM, William wrote:
Hi all,
While doing my routine patches and scans, "chkrootkit reported the following:
(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. (*** snip ***) warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)
I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem? If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?
thanks, Bill.
I realized a lot later that I also should have mentioned that the "chkrootkit" run was shortly after doing "yum update", "prelink -a", and rebooting. I don't know if that's significant.
By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.
??? I looked at that long sh script. It didn't help. I don't see how knowing that chkrootkit uses "netstat" to check a port tells me whether or not I have a real problem. I don't understand what it means that a port is infected. I am a home user stuck doing his own sysadmin and security with no training or experience in these things.
Do I have a security problem? If yes, how do I fix it?
At http://bugz.fedoraproject.org/chkrootkit somebody has looked into the l2cap warning before.
Thank-you.
thanks, Bill.
I'm not sure why you're using prelink, but if you're worried about security you might consider adding -r to the command.
Some time ago, I was getting a lot of warnings from "rkhunter". Both John Horne (of "rkhunter" fame) and the "rkhunter" warnings suggested I do a "prelink -a" after doing "yum update", but before running "rkhunter". It worked. So I always run "prelink -a" after doing "yum update" and before doing "chkrootkit" and "rkhunter".
The "-r" option requires an address. What address should I provide? Did you mean "-R" or "-r"?
thanks, Bill.
On 07/28/2015 02:37 PM, William wrote:
The "-r" option requires an address. What address should I provide? Did you mean "-R" or "-r"?
Sorry; that should have been -R. The idea is to randomize where the various libraries are located, making it harder for malware (if any) to hook into them.
(replying to two posts)
On 07/28/2015 05:37 PM, William wrote:
On 07/28/2015 01:55 PM, William wrote:
Good afternoon,
On 07/23/2015 02:56 PM, William wrote:
Hi all,
While doing my routine patches and scans, "chkrootkit reported the following:
(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. (*** snip ***) warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)
I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem? If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?
thanks, Bill.
I realized a lot later that I also should have mentioned that the "chkrootkit" run was shortly after doing "yum update", "prelink -a", and rebooting. I don't know if that's significant.
By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.
??? I looked at that long sh script. It didn't help. I don't see how knowing that chkrootkit uses "netstat" to check a port tells me whether or not I have a real problem. I don't understand what it means that a port is infected. I am a home user stuck doing his own sysadmin and security with no training or experience in these things.
Do I have a security problem? If yes, how do I fix it?
At http://bugz.fedoraproject.org/chkrootkit somebody has looked into the l2cap warning before.
Thank-you.
thanks, Bill.
I'm not sure why you're using prelink, but if you're worried about security you might consider adding -r to the command.
Some time ago, I was getting a lot of warnings from "rkhunter". Both John Horne (of "rkhunter" fame) and the "rkhunter" warnings suggested I do a "prelink -a" after doing "yum update", but before running "rkhunter". It worked. So I always run "prelink -a" after doing "yum update" and before doing "chkrootkit" and "rkhunter".
The "-r" option requires an address. What address should I provide? Did you mean "-R" or "-r"?
thanks, Bill.
Michael Schwendt said:
Then I suggest that chkrootkit is not the right tool for you. You may ask why not? Because it's far from bullet-proof. Some of the checks it implements are no longer relevant these days. There are more modern rootkits that are not covered by chkrootkit. There is no database that would receive online updates to cover more known rootkits or vulnerabilities. It only tries to check for a few modifications it is aware of. Other checks are not safe but only very rudimentary. Even normal processes running on a normal installation can confuse it. For a very long time, it considered the main systemd executable as infected, and nobody did anything about that. Everywhere you could meet Fedora users asking whether Fedora's official ISO images would be infected. There's a README file included in the Fedora package, which comments on the problem of "false positives". It's the user's responsibility to verify what chkrootkit reports, because it's not safe to rely on it. Running chkrootkit gives a false sense of security. If it doesn't find anything (and rkhunter not either), you could still be affected by something it cannot find (even an only slightly modified rootkit) or by some other vulnerability it doesn't even check for.
There are multiple layers of security. As a home user, better focus on tools that protect your machine from intruders. Such as a firewall, SELinux, security relevant updates, not running things as superuser root, and deciding carefully what to install or execute on your machine.
Thank-yo for your comments, Michael. I *partially* agree.
I already realized that "chkrootkit" is not bullet-proof. I understand that *no* security tool or method is bullet-proof. Malicious people are always brewing new evil things, and security tools and methods are almost always stuck trying to catch up and keep up. I suspected that "chkrootkit" did not on its own get updates from some on-line database, but I wasn't sure. I hoped that maybe it was getting such updates when I do "yum update". You seem to be implying apparently not. :)
This tool (along with "rkhunter" and SELinux) do not give me a false sense of security. But they sure occasionally give me a serious scare. As for the possibility of false positives, that's why I come to this group (or for "rkhunter", its group) when I receive a warning or alert. It's obvious to me that the contributors to these groups include some real experts, and I trust the groups.
If "chkrootkit" is so bad and out of date, are we getting any value from it? Is it completely redundant with SELinux and "rkhunter"? If it's not adding anything beyond what SELinux and "rkhunter" do, maybe it should be removed from Fedora?
A couple years ago, when I got my new home system, I asked this group what I should do to secure and scan my system. The group recommended "chkrootkit" and "rkhunter". So those are what I use. I have SELinux; I assume that by default, it's set/configured appropriately. The one exception is changes that Ed Greshko coached me through to get printing working. I'm hoping that the firewall is set appropriately by default. I do a "yum update" every week to stay current. Is there something else that I should do?
Back to the original question: Is that "INFECTED (PORTS: 3133)" alert a false alarm or a real problem?
Joe Zeff said:
Sorry; that should have been -R. The idea is to randomize where the various libraries are located, making it harder for malware (if any) to hook into them.
Thank-you, Joe. Depending on responses to my previous paragraphs (responding to Michael), I'll try that tomorrow when I do my weekly patches and scans.
Bill.
On Wed, 29 Jul 2015 14:49:54 -0400, William wrote:
I already realized that "chkrootkit" is not bullet-proof. I understand that *no* security tool or method is bullet-proof. Malicious people are always brewing new evil things, and security tools and methods are almost always stuck trying to catch up and keep up. I suspected that "chkrootkit" did not on its own get updates from some on-line database, but I wasn't sure. I hoped that maybe it was getting such updates when I do "yum update". You seem to be implying apparently not. :)
False sense of security.
Check out "rpm -q --changelog chkrootkit|less". That's Fedora's package changelog.
v0.48 - 2007 v0.49 - 2010, three years later v0.50 - 2014, four years later (the project page had been gone for a long time even)
And what did change in the software? Does it check for many new rootkits? Which rootkits are popular? Which pieces of code hackers leave on a machine after a breakin could be found by chkrootkit? When was the last time chkrootkit found a rootkit on your installation(s)?
Then notice some of the details in Fedora package's changelog. Fixes for ancient undiscovered bugs. Oh wait, and CVE-2014-0476? That one is classified as a "serious vulnerability" in chkrootkit itself.
This tool (along with "rkhunter" and SELinux) do not give me a false sense of security. But they sure occasionally give me a serious scare.
That makes it even worse. I don't know why you find it worthwhile to run such tools. Have you made any experience with intrusion attempts and especially rootkits/backdoors? Or is it like running a random virus checker that never finds a virus, or running a cheap anti-virus which doesn't protect against the latest and greatest threats? It causes too much distraction. And having to deal with false positives is a strange hobby. ;-)
If "chkrootkit" is so bad and out of date, are we getting any value from it?
Well, decide for yourself.
Is it completely redundant with SELinux and "rkhunter"?
Do you run AIDE (package "aide") just because it can add another layer of protection? I don't think so. But that's a great tool with a special target group, albeit special maintenance requirements, too.
If it's not adding anything beyond what SELinux and "rkhunter" do, maybe it should be removed from Fedora?
Some packages are kept alive, because there is a volunteer to become the "owner" of the Fedora package as soon as the previous owner wants to drop the package. I don't know whether the current owner is convinced of the usefulness or quality of the software.
Back to the original question: Is that "INFECTED (PORTS: 3133)" alert a false alarm or a real problem?
Suggestions: * Subscribe to the bugzilla ticket I've mentioned. * Run chkrootkit in "expert" mode. * Look up the *tiny* shell function that checks port 3133 and try to understand which "netstat" command chkrootkit runs to examine port 3133. * Draw conclusions.
On Tue, Jul 28, 2015 at 11:18 PM, Michael Schwendt mschwendt@gmail.com wrote:
... it. For a very long time, it considered the main systemd executable as infected, and nobody did anything about that. Everywhere you could
Obviously, given what a mess systemd is. I wouldn't blame chkrootkit for it!
Hello Butrus,
Yes I'm Real. To prove I'm real first off.. You are Community support for Fedora users and your mail Id users@lists.fedoraproject.org
I was just taking a quick shower and I heard my phone vibrate, my hair isnt even close to being dry yet but I wanted to quickly check my email to see if it was you writing me back.
I guess since you responded you are not a faker haha, that is a big relief. Not sure if you were wanting to get together tonight, tomorrow ..or maybe wait until the weekend? I am not going to lie though I was really hoping to get some as soon as possible..
All you have do is verify on this website HERE http://www.bcmeetnow.com/userms/olivia/ where I am a member and do a safety verification.
It only costs a dollar and just takes a sec. My cell number is on there and I have some other photos on there too. Get my cell number and give me a text or call me. Let's make this happen.. I have lots of free time. call me now!
Sorry if it seems like I'm being a bitch and making you work too hard, but I have to look out for my own safety. There are tons of weirdos out there and I just want to have a good time. Hope you understand cause I really want to meet you..
On Thu, Jul 30, 2015 at 11:38:01AM -0700, Joe Zeff wrote:
On 07/30/2015 11:33 AM, Olivia wrote:
Hello Butrus, Yes I'm Real.
No you're not. This is the third copy of the exact same message I've received from you today, except for the name at the top.
List admins are on this. No need to spread this further by replying more. Thanks.
Hello Matthew,
Yes I'm Real. To prove I'm real first off.. You are Community support for Fedora users and your mail Id users@lists.fedoraproject.org
I was just taking a quick shower and I heard my phone vibrate, my hair isnt even close to being dry yet but I wanted to quickly check my email to see if it was you writing me back.
I guess since you responded you are not a faker haha, that is a big relief. Not sure if you were wanting to get together tonight, tomorrow ..or maybe wait until the weekend? I am not going to lie though I was really hoping to get some as soon as possible..
All you have do is verify on this website HERE http://www.bcmeetnow.com/userms/olivia/ where I am a member and do a safety verification.
It only costs a dollar and just takes a sec. My cell number is on there and I have some other photos on there too. Get my cell number and give me a text or call me. Let's make this happen.. I have lots of free time. call me now!
Sorry if it seems like I'm being a bitch and making you work too hard, but I have to look out for my own safety. There are tons of weirdos out there and I just want to have a good time. Hope you understand cause I really want to meet you..
On Thu, Jul 30, 2015 at 11:50:57AM -0700, Joe Zeff wrote:
You should have paid more attention to the final *plonk!* That was the sound of "her" email address dropping to the bottom of my killfile.
But that doesn't do anyone any good. The spammer certainly isn't going to care (or even read it), and the _rest_ of the list just gets more off-topic mail. The point of my message was to let everyone know that list admins are aware and that you don't need to give additional reports (or, indeed, continue responding to the spammer).
On 07/30/2015 11:54 AM, Matthew Miller wrote:
(or, indeed, continue responding to the spammer).
I have no idea if that spammer is still active or not because any further messages from that address are deleted before I see them. That was part of the point of my original message; the other part was the implicit suggestion that others do the same.
On Thu, 30 Jul 2015 20:28:03 +0200, Butrus Damaskus wrote:
... it. For a very long time, it considered the main systemd executable as infected, and nobody did anything about that. Everywhere you could
Obviously, given what a mess systemd is. I wouldn't blame chkrootkit for it!
Are you kidding? I guess not, because of the lack of smileys in your mail. Watch this -> http://pkgs.fedoraproject.org/cgit/chkrootkit.git/plain/chkrootkit-suckit.pa...
-
Butrus Damaskus -
Joe Zeff -
Matthew Miller -
Michael Schwendt -
Olivia -
William Mattison