Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]Knark Rootkit
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
aia
n00b
n00b


Joined: 16 Sep 2012
Posts: 18

PostPosted: Tue Nov 27, 2012 8:47 pm    Post subject: [SOLVED]Knark Rootkit Reply with quote

Hi all,

Just finished the rkhunter installation

I scanned my system and i found one possible Rootkit with name : Knark Rootkit.
I have to worry about this?

I tried to find if there is a way to delete this rootkit but i didn't find something.


Last edited by aia on Tue Nov 27, 2012 10:35 pm; edited 1 time in total
Back to top
View user's profile Send private message
Fitzcarraldo
Veteran
Veteran


Joined: 30 Aug 2008
Posts: 1635
Location: United Kingdom

PostPosted: Tue Nov 27, 2012 8:52 pm    Post subject: Reply with quote

It's a false positive: https://forums.gentoo.org/viewtopic-t-691008-start-0.html
_________________
Clevo W230SS: amd64 OpenRC elogind nvidia-drivers & xf86-video-intel.
Compal NBLB2: ~amd64 OpenRC elogind xf86-video-ati. Dual boot Win 7 Pro 64-bit.
KDE on both.

Fitzcarraldo's blog
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Tue Nov 27, 2012 8:53 pm    Post subject: Re: Knark Rootkit Reply with quote

aia wrote:
I scanned my system and i found one possible Rootkit with name : Knark Rootkit.
I have to worry about this?

What did rkhunter say about this in details ?
Did it say it found a knark directory in /proc ?
_________________
Back to top
View user's profile Send private message
aia
n00b
n00b


Joined: 16 Sep 2012
Posts: 18

PostPosted: Tue Nov 27, 2012 9:03 pm    Post subject: Reply with quote

@ Fitzcarraldo

I've just already see this post
https://forums.gentoo.org/viewtopic-t-691008-start-0.html
but my output is different.

@ aCOSwt

No it doesn't just only

Rootkit checks...
Rootkits checked : 308
Possible rootkits: 1
Rootkit names : Knark Rootkit

and also i have some warnings.It is important this rootkit?
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Tue Nov 27, 2012 9:22 pm    Post subject: Reply with quote

You should get a logfile somewhere. In /var/log I think.
Fetch it and search for Knark.
_________________
Back to top
View user's profile Send private message
aia
n00b
n00b


Joined: 16 Sep 2012
Posts: 18

PostPosted: Tue Nov 27, 2012 9:33 pm    Post subject: Reply with quote

Yes the log file is here
Code:

/var/log/rkhunter.log

but there isn't referred for knark.
Strange.Also i have written that Knark is a rootkit for the Linux kernels 2.2 and 2.4 and i have newest kernel in my system.
I tried to find if there is a way to delete this rootkit and i didn' find something in google.
Back to top
View user's profile Send private message
aia
n00b
n00b


Joined: 16 Sep 2012
Posts: 18

PostPosted: Tue Nov 27, 2012 9:56 pm    Post subject: Reply with quote

Also i scanned with chkrootkit
and i didn't see something wrong in the output.
Which from both rootkit software I should trust?
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Tue Nov 27, 2012 10:11 pm    Post subject: Reply with quote

Please do look closely into your log.
I just cannot trust rkhunter would report such a conclusion without logging any detail.
_________________
Back to top
View user's profile Send private message
aia
n00b
n00b


Joined: 16 Sep 2012
Posts: 18

PostPosted: Tue Nov 27, 2012 10:25 pm    Post subject: Reply with quote

Yes you have right!
Code:

 Checking system startup files for malware       [ Warning ]
[00:23:32] Warning: Found string 'hidef' in file '/etc/init.d/net.lo'. Possible rootkit: Knark Rootkit

@ Fitzcarraldo had also right


Last edited by aia on Tue Nov 27, 2012 10:29 pm; edited 1 time in total
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Tue Nov 27, 2012 10:28 pm    Post subject: Reply with quote

So you are in the false positive case Fitzcarraldo had told you about.
_________________
Back to top
View user's profile Send private message
aia
n00b
n00b


Joined: 16 Sep 2012
Posts: 18

PostPosted: Tue Nov 27, 2012 10:33 pm    Post subject: Reply with quote

sorry guys but when i checked the first time this log it was look liked half uncompleted.
Then i cleaned the /var/log/rkhunter.log and i run it again the command rkhunter -c and i got the newest log and i realized that it didn't the same with the initial.

Thank you!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum