f



Chkrootkit - can't find 'strings'

Header says it all. Trying to start chkrootkit, getting the above error
message. Also been having strange reboots.'Last' gives message 'gone -
no logout.' The only thing changed is a minor update to Xfree via apt-get
this afternoon. Running Libranet - Debian with kernel 2.4.26

Ran chkrootkit with -x option and received same message.

0
Sam
10/8/2004 12:28:05 AM
comp.os.linux.security 2854 articles. 0 followers. Post Follow

12 Replies
537 Views

Similar Articles

[PageSpeed] 12

On Fri, 08 Oct 2004 00:28:05 GMT, Sam Miller wrote:
> Header says it all. 

guessing it cannot find /usr/bin/strings
0
Bit
10/8/2004 12:55:41 AM
On Fri, 08 Oct 2004 00:55:41 +0000, Bit Twister wrote:

> On Fri, 08 Oct 2004 00:28:05 GMT, Sam Miller wrote:
>> Header says it all. 
> 
> guessing it cannot find /usr/bin/strings

Correct. Tried deleting and reinstalling chkrootkit, same answer. Ran
F.I.R.E. and tried chkrootkit from CD. Received answer that 'ps' was
infected. Checked MD5SUM for ps against this machine and it checked out.

What should I try now?

Thanks in advance.

Sam Miller


0
Sam
10/8/2004 2:31:12 AM
On Fri, 08 Oct 2004 02:31:12 GMT, Sam Miller wrote:
> On Fri, 08 Oct 2004 00:55:41 +0000, Bit Twister wrote:
>
>> On Fri, 08 Oct 2004 00:28:05 GMT, Sam Miller wrote:
>>> Header says it all. 
>> 
>> guessing it cannot find /usr/bin/strings
>
> Correct. Tried deleting and reinstalling chkrootkit, same answer. 

Yep, you would have to install      /usr/bin/strings

>  Ran F.I.R.E. and tried chkrootkit from CD. 

Good, you cannot use anything on an infected box to try to find/test
for an infection/mailware.

> Received answer that 'ps' was infected. 
> Checked MD5SUM for ps against this machine and it checked out.

Any machine on the same network could be infected or if same
passwords, any machine on your lan.

> What should I try now?

I would take the box off the network and do a clean install.    :(


Something to read here, while waiting for someone else to jump in.

     http://groups.google.com/advanced_group_search

google_tag_cracked_4_next_time   in the first box
alt.os.linux                     in the Newsgroup box, pick English


0
Bit
10/8/2004 3:05:15 AM
On Fri, 08 Oct 2004 03:05:15 +0000, Bit Twister wrote:

> On Fri, 08 Oct 2004 02:31:12 GMT, Sam Miller wrote:
>> On Fri, 08 Oct 2004 00:55:41 +0000, Bit Twister wrote:
>>
>>> On Fri, 08 Oct 2004 00:28:05 GMT, Sam Miller wrote:
>>>> Header says it all. 
>>> 
>>> guessing it cannot find /usr/bin/strings
>>
>> Correct. Tried deleting and reinstalling chkrootkit, same answer. 
> 
> Yep, you would have to install      /usr/bin/strings
> 
>>  Ran F.I.R.E. and tried chkrootkit from CD. 
> 
> Good, you cannot use anything on an infected box to try to find/test
> for an infection/mailware.
> 
>> Received answer that 'ps' was infected. 
>> Checked MD5SUM for ps against this machine and it checked out.
> 
> Any machine on the same network could be infected or if same
> passwords, any machine on your lan.
> 
>> What should I try now?
> 
> I would take the box off the network and do a clean install.    :(
> 
> 
The two boxes are not on a network. I've never gotten around to hooking
them together. I just unhook the DSL modem from one and switch to the
other. So I'm guessing the md5sums from the same kernel should be the
same. By the way, booting from Knoppix said ps was okay but ifconfig was
not. Md5sums checked again.

Thanks.

Sam

0
Sam
10/8/2004 4:03:51 AM
On Fri, 08 Oct 2004 04:03:51 GMT, Sam Miller wrote:
> On Fri, 08 Oct 2004 03:05:15 +0000, Bit Twister wrote:
.. By the way, booting from Knoppix said ps was okay but ifconfig was
> not. Md5sums checked again.

Sounds like you are getting random results.

I would run memtest86 or have a hardware problem.

0
Bit
10/8/2004 4:14:57 AM
On Fri, 08 Oct 2004 04:14:57 +0000, Bit Twister wrote:

> On Fri, 08 Oct 2004 04:03:51 GMT, Sam Miller wrote:
>> On Fri, 08 Oct 2004 03:05:15 +0000, Bit Twister wrote:
> . By the way, booting from Knoppix said ps was okay but ifconfig was
>> not. Md5sums checked again.
> 
> Sounds like you are getting random results.
> 
> I would run memtest86 or have a hardware problem.

I believe you've got something there. By the way, copying /usr/bin/strings
from the one machine to the other got chkrootkit started again. I
downloaded the latest tarball and was given a clean slate.

Dang, and this machine is less than a year old.

Thanks for the help.

Sam

0
Sam
10/8/2004 4:53:54 AM
Bit Twister <BitTwister@localhost.localdomain> writes:

[snip]
>> Received answer that 'ps' was infected. 
>> Checked MD5SUM for ps against this machine and it checked out.

I have the same thing here on Gentoo with the most recent procps (started
on upgrade); I'm getting a warning that ps is `INFECTED' but actually it's
not, it's just that the strings | grep that chkrootkit does is too wide.

Run chkrootkit -x and `strings /bin/ps' for yourself, see how it looks.

> Any machine on the same network could be infected or if same passwords,
> any machine on your lan.
>
>> What should I try now?
>
> I would take the box off the network and do a clean install.    :(

I would have a bloody good look around, run rkhunter, see if you can
actually find a named kit/exploit, otherwise it could just be a bug in
chkrootkit. Be prepared to look around for rootkits and evidence of
tampering - check /etc/passwd for unknown users and nmap all your ports
from another machine on the network[1] to correlate against `netstat -pln`,
for example.

~Tim

Footnotes: 
[1]  yes, I know from other articles you don't have one yet. Get on with
it, it'll be useful now!

-- 
Remember, fish are FOOD not FRIENDS!        |piglet@stirfried.vegetable.org.uk
                                            |http://spodzone.org.uk/cesspit
0
Tim
10/8/2004 8:28:07 AM
Sam Miller <svekan@mindspring.com> writes:

> On Fri, 08 Oct 2004 04:14:57 +0000, Bit Twister wrote:
>
>> On Fri, 08 Oct 2004 04:03:51 GMT, Sam Miller wrote:
>>> On Fri, 08 Oct 2004 03:05:15 +0000, Bit Twister wrote:
>> . By the way, booting from Knoppix said ps was okay but ifconfig was
>>> not. Md5sums checked again.
>> 
>> Sounds like you are getting random results.
>> 
>> I would run memtest86 or have a hardware problem.
>
> I believe you've got something there. By the way, copying /usr/bin/strings
> from the one machine to the other got chkrootkit started again. I
> downloaded the latest tarball and was given a clean slate.
>
> Dang, and this machine is less than a year old.

Well, I'm surprised that you managed to have a linux box installed without
strings(1) present, so either
a) chkrootkit wasn't finding it (I find I have to be in /usr/sbin and type
   ./chkrootkit for it to find its component executables on gentoo, myself)
b) there's hardware corruption shitting on your filesystems
or
c) some nasty eejit removed it as part of a borked rootkit install.

~Tim
-- 
There's a sadness, there's a joy            |piglet@stirfried.vegetable.org.uk
There's a place,                            |http://spodzone.org.uk/cesspit
There's a song that will never die          |
Forever                                     |
0
Tim
10/8/2004 8:33:10 AM
On Fri, 08 Oct 2004 04:53:54 GMT, Sam Miller wrote:
>> 
>> I would run memtest86 or have a hardware problem.
>
> I believe you've got something there. By the way, copying /usr/bin/strings
> from the one machine to the other got chkrootkit started again. I
> downloaded the latest tarball and was given a clean slate.

You cannot compile chkrootkit on a compromised system and trust it.

0
Bit
10/8/2004 1:54:26 PM
On 2004-10-08, Sam Miller <svekan@mindspring.com> wrote:

> Header says it all. Trying to start chkrootkit, getting the above error
> message. Also been having strange reboots.'Last' gives message 'gone -
> no logout.' The only thing changed is a minor update to Xfree via apt-get
> this afternoon. Running Libranet - Debian with kernel 2.4.26
>
> Ran chkrootkit with -x option and received same message.

chkrootkit installs its own statically-linked "strings" program.  You may 
have to edit the chkrootkit script to point it directly to this program.

-- 

-John (john@os2.dhs.org)
0
John
10/8/2004 2:58:49 PM
On Fri, 08 Oct 2004 09:33:10 +0100, Tim Haynes wrote:

> Sam Miller <svekan@mindspring.com> writes:
> 
>> On Fri, 08 Oct 2004 04:14:57 +0000, Bit Twister wrote:
>>
>>> On Fri, 08 Oct 2004 04:03:51 GMT, Sam Miller wrote:
>>>> On Fri, 08 Oct 2004 03:05:15 +0000, Bit Twister wrote:
>>> . By the way, booting from Knoppix said ps was okay but ifconfig was
>>>> not. Md5sums checked again.
>>> 
>>> Sounds like you are getting random results.
>>> 
>>> I would run memtest86 or have a hardware problem.
>>
>> I believe you've got something there. By the way, copying /usr/bin/strings
>> from the one machine to the other got chkrootkit started again. I
>> downloaded the latest tarball and was given a clean slate.
>>
>> Dang, and this machine is less than a year old.
> 
> Well, I'm surprised that you managed to have a linux box installed without
> strings(1) present, so either
> a) chkrootkit wasn't finding it (I find I have to be in /usr/sbin and type
>    ./chkrootkit for it to find its component executables on gentoo, myself)
> b) there's hardware corruption shitting on your filesystems
> or
> c) some nasty eejit removed it as part of a borked rootkit install.

Thanks everyone for your help. I was told that /usr/bin/strings is
installed through binutils, so I reinstalled it and chkrootkit began
working again. I'm leaning towards (2) in the post above as I began having
problems with X and my video card at the same time. Reinstalling Nvidia's
driver solved that. Hoping that the minor thunderstorm yesterday caused
problems.

The system was wiped and reinstalled about a month ago with a firewall in
place before going online and Clamav as one of the first programs. I have
no services like telnet or the like open.

But I'll check and recheck using the tools and hints given me.

Thanks again.

0
Sam
10/9/2004 1:44:37 AM
On Sat, 09 Oct 2004 01:44:37 +0000, Sam Miller wrote:

> On Fri, 08 Oct 2004 09:33:10 +0100, Tim Haynes wrote:
> 
>> Sam Miller <svekan@mindspring.com> writes:
>> 
>>> On Fri, 08 Oct 2004 04:14:57 +0000, Bit Twister wrote:
>>>
>>>> On Fri, 08 Oct 2004 04:03:51 GMT, Sam Miller wrote:
>>>>> On Fri, 08 Oct 2004 03:05:15 +0000, Bit Twister wrote:
>>>> . By the way, booting from Knoppix said ps was okay but ifconfig was
>>>>> not. Md5sums checked again.
>>>> 
A (hopefully) final PS. All rkhunter could find was that ssh allowed root
login even if it wasn't enabled. Root login is now 'no'.

One of these days I'll know enough to be less than dangerous...

0
Sam
10/9/2004 2:44:09 AM
Reply: