Weird Network Manager Problem (Updated)

James McKenzie jjmckenzie51 at earthlink.net
Sun Sep 26 15:41:02 UTC 2010


  On 9/26/10 8:17 AM, JD wrote:
>
> On 09/26/2010 05:49 AM, James McKenzie wrote:
>>     On 9/25/10 11:05 PM, Ed Greshko wrote:
>>>     On 09/26/2010 01:52 PM, JD wrote:
>>>> On 09/25/2010 10:42 PM, Ed Greshko wrote:
>>>>>      On 09/26/2010 12:54 PM, JD wrote:
>>>>>> Well,if my machine was rooted, and I have a firewall that
>>>>>> drops ALL incoming requests, then how was it rooted if not
>>>>>> through some package or through the kernel  itself?
>>>>> I would suggest folks take a step back and do some research on "lkm
>>>>> false positive" before jumping to a conclusion that they have a problem.
>>>>>
>>>> Well, ...  before jumping to conclusion that who has a problem?
>>>> rkhunter or chkrootkit?  I assume you mean rkhunter??
>>>> If so, I tend to agree. I saw a lot of google hits reporting
>>>> false positives by chkrootkit.
>>>>
>>> Any of these "detection applications" can report false positives.  Which
>>> is why they report "your system *may* be infected" or "*Possible* XXX
>>> installed...".
>>>
>>> My message is simple.  If you run these apps and they say you may be
>>> infected...don't jump to a conclusion and nuke your system.
>>>
>> It is quite interesting that the files that were infected are those files.
>>
>> And I agree that blowing away the system should be a 'last resort'
>> action, but the OP is under the opinion that the system was indeed
>> rooted due to a review of the auditing logs which show these files were
>> changed from the outside.
>>
>> Firewalls are breachable, BTW.  It was fun to watch the TV ads with the
>> African Female talking with the 17 year old's voice that had cracked her
>> account and then he used her money to build 'a Robot that I'm taking to
>> the Senior Prom'.  She was not amused.
>>
>> Also, it is a good idea to use TWO or more tools to verify that you were
>> 'rooted'.  A check of the file change dates will also reveal if you were
>> breached.
>>
>> James McKenzie
>>
> It was a false positive.
> At the end of my $PATH was a bin dir for many scripts I create
> to make my typing less tedious. One of the scripts was called psu
> and it invoked ps with different options.
> I moved it to /tmp and re-ran chkrootkit and it came  clean.
> No rootkit.
>
Good news and no need to go nuclear on the system...

James McKenzie



More information about the users mailing list