| View previous topic :: View next topic |
| Author |
Message |
jlg
Guru
Joined: 31 May 2002
Posts: 360
Location: Montreal, CANADA
|
 Posted: Tue Apr 29, 2003 8:27 pm Post subject: Ramen Worm! Weird? |
 |
|
I downloaded FIRE 0.3.5b and gave it a try on my system.
I booted my pc with the FIRE cd.
mounted my root partition on /mnt/sda2
did /usr/bin/chkrootkit/chkrootkit -r /mnt/sda2
I get "not infected" for every test except this one:
Checking `asp'... Warning: Possible Ramen Worm installed (/mnt/sda2/asp)
I looked at my system and there is no /mnt/sda2/asp
I looked at the procedure to remove ramen:
| Quote: |
1. Delete: /usr/src/.poop and /sbin/asp.
2. If it exists, remove: /etc/xinetd.d/asp
3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any file in /etc/src/.poop.
4. Remove any lines in /etc/inetd.conf referring to /sbin/asp
5. Reboot the system or manually kill any processes such as synscan, start.sh, scan.sh, hackl.sh, or hackw.sh.
6. ISS recommends that ftp, rpc.statd, or lpr are not enabled until updates have been installed.
|
but I have none of those files on my system.
I emerged chkrootkit 0.39a and it finds nothing.
I dowloaded ramenfind-0.4 and this finds nothing also.
any idea why I get a warning from the fire cd? any file in gentoo that could give it a false positive?
for anyone who would like to test their system:
http://fire.dmzs.com/ |
|
| Back to top |
|
 |
jlg
Guru
Joined: 31 May 2002
Posts: 360
Location: Montreal, CANADA
|
| Posted: Mon May 05, 2003 12:00 am Post subject: |
|
|
| I just did a fresh install of Morphix and then ran the chkrootkit test from the F.I.R.E cd and it gave the same warning! I guess its an issue with F.I.R.E |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
