View previous topic :: View next topic |
Author |
Message |
aia n00b
Joined: 16 Sep 2012 Posts: 18
|
Posted: Tue Nov 27, 2012 8:47 pm Post subject: [SOLVED]Knark Rootkit |
|
|
Hi all,
Just finished the rkhunter installation
I scanned my system and i found one possible Rootkit with name : Knark Rootkit.
I have to worry about this?
I tried to find if there is a way to delete this rootkit but i didn't find something.
Last edited by aia on Tue Nov 27, 2012 10:35 pm; edited 1 time in total |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
|
Back to top |
|
|
aCOSwt Bodhisattva
Joined: 19 Oct 2007 Posts: 2537 Location: Hilbert space
|
Posted: Tue Nov 27, 2012 8:53 pm Post subject: Re: Knark Rootkit |
|
|
aia wrote: | I scanned my system and i found one possible Rootkit with name : Knark Rootkit.
I have to worry about this? |
What did rkhunter say about this in details ?
Did it say it found a knark directory in /proc ? _________________
|
|
Back to top |
|
|
aia n00b
Joined: 16 Sep 2012 Posts: 18
|
Posted: Tue Nov 27, 2012 9:03 pm Post subject: |
|
|
@ Fitzcarraldo
I've just already see this post
https://forums.gentoo.org/viewtopic-t-691008-start-0.html
but my output is different.
@ aCOSwt
No it doesn't just only
Rootkit checks...
Rootkits checked : 308
Possible rootkits: 1
Rootkit names : Knark Rootkit
and also i have some warnings.It is important this rootkit? |
|
Back to top |
|
|
aCOSwt Bodhisattva
Joined: 19 Oct 2007 Posts: 2537 Location: Hilbert space
|
Posted: Tue Nov 27, 2012 9:22 pm Post subject: |
|
|
You should get a logfile somewhere. In /var/log I think.
Fetch it and search for Knark. _________________
|
|
Back to top |
|
|
aia n00b
Joined: 16 Sep 2012 Posts: 18
|
Posted: Tue Nov 27, 2012 9:33 pm Post subject: |
|
|
Yes the log file is here
Code: |
/var/log/rkhunter.log
|
but there isn't referred for knark.
Strange.Also i have written that Knark is a rootkit for the Linux kernels 2.2 and 2.4 and i have newest kernel in my system.
I tried to find if there is a way to delete this rootkit and i didn' find something in google. |
|
Back to top |
|
|
aia n00b
Joined: 16 Sep 2012 Posts: 18
|
Posted: Tue Nov 27, 2012 9:56 pm Post subject: |
|
|
Also i scanned with chkrootkit
and i didn't see something wrong in the output.
Which from both rootkit software I should trust? |
|
Back to top |
|
|
aCOSwt Bodhisattva
Joined: 19 Oct 2007 Posts: 2537 Location: Hilbert space
|
Posted: Tue Nov 27, 2012 10:11 pm Post subject: |
|
|
Please do look closely into your log.
I just cannot trust rkhunter would report such a conclusion without logging any detail. _________________
|
|
Back to top |
|
|
aia n00b
Joined: 16 Sep 2012 Posts: 18
|
Posted: Tue Nov 27, 2012 10:25 pm Post subject: |
|
|
Yes you have right!
Code: |
Checking system startup files for malware [ Warning ]
[00:23:32] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Knark Rootkit
|
@ Fitzcarraldo had also right
Last edited by aia on Tue Nov 27, 2012 10:29 pm; edited 1 time in total |
|
Back to top |
|
|
aCOSwt Bodhisattva
Joined: 19 Oct 2007 Posts: 2537 Location: Hilbert space
|
Posted: Tue Nov 27, 2012 10:28 pm Post subject: |
|
|
So you are in the false positive case Fitzcarraldo had told you about. _________________
|
|
Back to top |
|
|
aia n00b
Joined: 16 Sep 2012 Posts: 18
|
Posted: Tue Nov 27, 2012 10:33 pm Post subject: |
|
|
sorry guys but when i checked the first time this log it was look liked half uncompleted.
Then i cleaned the /var/log/rkhunter.log and i run it again the command rkhunter -c and i got the newest log and i realized that it didn't the same with the initial.
Thank you! |
|
Back to top |
|
|
|