Find the answer to your Linux question:
Results 1 to 4 of 4
I've just installed chkrootkit and run it for the first time. As I expected and hoped, it failed to find any infected base programs or known worms. But it did ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    1,281

    Is this something I ought to be worried about?


    I've just installed chkrootkit and run it for the first time. As I expected and hoped, it failed to find any infected base programs or known worms. But it did report this:
    Code:
    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/jvm/.java-gcj.jinfo
    /lib/modules/2.6.15-29-386/volatile/.mounted
    Does this mean that there is something wrong with these files?
    "I'm just a little old lady; don't try to dazzle me with jargon!"
    www.hrussman.entadsl.com

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Although I'm not familiar with either file in your case, it's probably ok. chkrootkit checks several filesystems for hidden files/subdirectories (i.e. those preceded with a ".") and reports on what it discovers. This particular check is highly likely to produce false positives.

    There are some steps you can perform to try to determine what the file is and where it came from. For example, I run CentOS 5 (rpm-based) -- here's a similar scenario from my box.

    chrootkit output:
    Code:
    ...
    Searching for suspicious files and dirs, it may take a while... 
    /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/perl5/5.8.8/i386-linux-threa
    d-multi/.packlist
    ...
    rpm check of file -> package relationship:
    Code:
    [root@fugu ~]# rpm -q -f /usr/lib/gtk-2.0/immodules/.relocation-tag
    gtk2-2.10.4-19.el5
    
    [root@fugu ~]# rpm -q -f /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist
    perl-5.8.8-10.el5_0.2
    Aha. So they both appear to belong to legit packages. If I were sufficiently paranoid, I could run package integrity tests using rpm (-V option). But I'm satisfied with that.

  3. #3
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    1,281
    I just used dpkg-query to check these files and the first is certainly legitimate. It belongs to a package called java-gcj-compat, though I've no idea what that actually does. I couldn't find any record for the .mounted file so I took a look at it. It's an empty file, obviously some kind of logical flag for the system. I don't see how an empty flag file can do any harm without a malicious program to use it, and no actual worms were detected, so I think I'll ignore it. Thanks for your help anyway.
    "I'm just a little old lady; don't try to dazzle me with jargon!"
    www.hrussman.entadsl.com

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer hazel's Avatar
    Join Date
    May 2004
    Location
    Harrow, UK
    Posts
    1,281
    Well, if anyone is interested, /lib/modules/2.6.15-29/volatile/.mounted is kosher too. It's created by an Ubuntu startup script called lrm-manager which turns proprietary drivers into kernel modules; the modules are created in a temporary filesystem mounted on /lib/modules/kernel_version/volatile, and this flag file is then created to show that the mount is complete. Panic over!
    "I'm just a little old lady; don't try to dazzle me with jargon!"
    www.hrussman.entadsl.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •