Quick question about chkrootkit

stmok · 2007-06-07 13:57:13

I installed and ran chkrootkit. (out of curiosity).

Everything seemed to be clean, but except this message.

Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected

When I do crontab -e nobody, I get an empty file.

Should I be worried?

luca · 2007-06-07 18:49:36

Hi stmok,
I have the same message on my server;
but I don't think that it's a real problem

Last edited by luca (2007-06-07 18:51:56)

Snarkout · 2007-06-07 20:35:56

what does

crontab -l nobody

kick out?

stmok · 2007-06-08 12:14:34

Snarkout wrote:

what does
crontab -l nobody
kick out?

It doesn't show anything.

ie: I type in this...
=> [root@semp01 stmok]# crontab -l nobody

Response? Nothing.
=> [root@semp01 stmok]#

Is it supposed to say something?

[vEX] · 2007-06-08 14:27:30

Running a rootkit check locally probably wouldn't reveal a rootkit if you were infected since the rootkit could already hide itself, you should run it from another machine (which you know isn't infected)/live cd if you believe/fear you have been infected.

Bebo · 2007-06-08 21:19:59

Instead of repeating what I wrote in February, please look at my post in the thread was my comp hacked?. If this check in chkrootkit hasn't changed, this still apply.

stmok · 2007-06-09 11:36:43

Bebo wrote:

Instead of repeating what I wrote in February, please look at my post in the thread was my comp hacked?. If this check in chkrootkit hasn't changed, this still apply.

I see, I think I get what you're saying.

chkrootkit checks for unknown users. nobody is also considered a user. Since nobody exists, it also checks if there is a crontab for nobody. And if there isn't one, its considered OK. Hence, it will spit out the answer not infected.

I think what freaks people out is the message it prints on the screen.
=> Warning: crontab for nobody found, possible Lupper.Worm...not infected

They should change it to something like:
=> Warning: crontab for nobody found. Checking if infected by Lupper.Worm...not infected

We should include a wiki entry or some sort of sticky for this scenario. Maybe include a procedure of using a LiveCD that has chkrootkit (Knoppix?) for those who are paranoid. That way, it brings assurance to the user. (as well as establish good computing practice).

Snarkout · 2007-06-09 15:36:59

Why does nobody have a blank crontab, though - that's my question. If nobody has no crontab at all, you should get the following:

[root@pinkwater ~]# crontab -l nobody
no crontab for nobody

As it is, it sounds like nobody has a crontab, but nothing is entered in it.

Bebo · 2007-06-09 23:50:23

Well, the test in chkrootkit starts with checking the error code of crontab -l -u nobody. Since the nobody user always exists, this test will always test true, since this test returns a 0 error code even though a crontab does not exist for an existing user. The test would only return false if user nobody did not exist on the system.

Next, if the test returns true (as I said, it always does), chkrootkit prints the unnecessarily confusing message "Warning: crontab for nobody found, possible Lupper.Worm...", and then it checks if the string "crontab.*666" is present in the output from crontab -l -u nobody. If it is present, the system is deemed infected.

IMO, they ought to only do the second check, and output messages based on that test.

Arch Linux

#1 2007-06-07 13:57:13

Quick question about chkrootkit

#2 2007-06-07 18:49:36

Re: Quick question about chkrootkit

#3 2007-06-07 20:35:56

Re: Quick question about chkrootkit

#4 2007-06-08 12:14:34

Re: Quick question about chkrootkit

#5 2007-06-08 14:27:30

Re: Quick question about chkrootkit

#6 2007-06-08 21:19:59

Re: Quick question about chkrootkit

#7 2007-06-09 11:36:43

Re: Quick question about chkrootkit

#8 2007-06-09 15:36:59

Re: Quick question about chkrootkit

#9 2007-06-09 23:50:23

Re: Quick question about chkrootkit

Board footer