Weird Network Manager Problem (Updated)
James McKenzie
jjmckenzie51 at earthlink.net
Sun Sep 26 12:49:17 UTC 2010
On 9/25/10 11:05 PM, Ed Greshko wrote:
> On 09/26/2010 01:52 PM, JD wrote:
>> On 09/25/2010 10:42 PM, Ed Greshko wrote:
>>> On 09/26/2010 12:54 PM, JD wrote:
>>>> Well,if my machine was rooted, and I have a firewall that
>>>> drops ALL incoming requests, then how was it rooted if not
>>>> through some package or through the kernel itself?
>>> I would suggest folks take a step back and do some research on "lkm
>>> false positive" before jumping to a conclusion that they have a problem.
>>>
>> Well, ... before jumping to conclusion that who has a problem?
>> rkhunter or chkrootkit? I assume you mean rkhunter??
>> If so, I tend to agree. I saw a lot of google hits reporting
>> false positives by chkrootkit.
>>
> Any of these "detection applications" can report false positives. Which
> is why they report "your system *may* be infected" or "*Possible* XXX
> installed...".
>
> My message is simple. If you run these apps and they say you may be
> infected...don't jump to a conclusion and nuke your system.
>
It is quite interesting that the files that were infected are those files.
And I agree that blowing away the system should be a 'last resort'
action, but the OP is under the opinion that the system was indeed
rooted due to a review of the auditing logs which show these files were
changed from the outside.
Firewalls are breachable, BTW. It was fun to watch the TV ads with the
African Female talking with the 17 year old's voice that had cracked her
account and then he used her money to build 'a Robot that I'm taking to
the Senior Prom'. She was not amused.
Also, it is a good idea to use TWO or more tools to verify that you were
'rooted'. A check of the file change dates will also reveal if you were
breached.
James McKenzie
More information about the users
mailing list