Possible Rooktit (was Re: It Works fine)

Karl Larsen k5di at zianet.com
Mon Dec 10 23:38:07 UTC 2007 

Steven Stern wrote:
> Karl Larsen wrote:
>> Jeff Krebs wrote:
>>> * Karl Larsen (k5di at zianet.com) wrote:
>>>  
>>>>    After so many problems seen day after day it is nice I think to 
>>>> hear about a success.
>>>>
>>>> F8 was installed from a DVD and came right up with a video problem 
>>>> cuzz I have a Nvidia video card. Fixed in 5 minutes with Nvidia 
>>>> binary. Then audio problems and found pulse audio the problem. I 
>>>> was told to yum remove and I did and audio is fine again.
>>>>
>>>>    I have had all the updates and they appear to be real Updates! 
>>>> So today December 10 2007 my F8 is working just fine. I have just 
>>>> one problem. I     
>>>
>>> I will mark this down on my calendar, and ensure that it's engraved 
>>> in stone to pass down to historians.  Such a feat was certainly 
>>> unthinkable :)
>>>
>>>  
>>>> seem to have a rootkit somewhere in the /home/karl/ directories. I 
>>>> have RTK and this afternoon I plan to find the thing, or discover I 
>>>> have no rootkit but rather another kind of problem.
>>>>
>>>> Karl
>>>>     
>>>
>>> How do you know that you have a root kit?
>>>
>>>
>>> Jeff Krebs
>>>
>>>   
>>    I really do not know Jeff. But often, while using Firefox I get an 
>> attack that puts a cross hatch screen on and removes the keyboard and 
>> mouse, and puts a single tone out the audio channels and only a hard 
>> reset will clear it.
>>
>>    This is how I think a rootkit would work and so I got rkhunter and 
>> right now I am trying to get it to check /home but have not found out 
>> how to do this :-)
>>
>> Karl
>>
>>
> The rootkits I've seen are very quiet. They survive by NOT doing 
> noticeable things.  The quietly install servers or bots in obscure 
> corners of the system in hidden directories.  What you have sounds 
> more like a cat playing in the wires under the desk. (I have personal 
> experience with that, too).
>
> What does chkrootkit show?
>
  
    I don't have chkrootkit but what I have is hard to get working as I 
wanted to check /home. I can't seem to make that work. It did check /usr 
and found some "warning" but the FAQ says they do not mean anything.

    My cat stays out of my office, most of the time.

Karl

-- 

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.
GPG DF28 8F18 94F8 D5C6 9E44  163F 7FD1 3D06 C325 DA40

More information about the users mailing list