chkrootkit - suspicious files question
Jim Cornette
fc-cornette at insight.rr.com
Mon Apr 4 02:06:20 UTC 2005
Mike Klinke wrote:
> On Sunday 03 April 2005 07:42, Jim Cornette wrote:
>
>
>>Hopefully this does not indicate anything to be alarmed about. Is
>>this a rational assumption?
>
>
> These look to be a part of perl.
>
> # locate .packlist
> /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi/auto/DCOP/.packlist
> /usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist
> /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/auto/Gaim/.packlist
> /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/auto/mod_perl/.packlist
> /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/NKF/.packlist
>
> # rpm -ql perl | grep pack
> /usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist
>
>
They have the same version of the php that is installed on this laptop.
A google search showed the same files being flagged by chkrootkit. I
guess these are not signs of a rootkit. I was suspicious since
conversations from two users on this list being rooted.
I feel safer now about the files being flagged. Five files is better
than a long listing.
Thanks and sorry for the alarm!
Jim
--
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization?
Gandhi: I think it would be a good idea.
More information about the users
mailing list