Re: F21: infection reported by "chkrootkit".

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 28 Jul 2015 13:55:47 -0400, William wrote:

>  > By examining the chkrootkit program -- it's a large shell script with
>  > a few helper tools -- to understand what it does to perform a check.
> 
> ???  I looked at that long sh script.  It didn't help.  I don't see how 
> knowing that chkrootkit uses "netstat" to check a port tells me whether 
> or not I have a real problem.  I don't understand what it means that a 
> port is infected.  I am a home user stuck doing his own sysadmin and 
> security with no training or experience in these things.

Then I suggest that chkrootkit is not the right tool for you.
You may ask why not? Because it's far from bullet-proof. Some of
the checks it implements are no longer relevant these days. There
are more modern rootkits that are not covered by chkrootkit. There is
no database that would receive online updates to cover more known
rootkits or vulnerabilities. It only tries to check for a few modifications
it is aware of. Other checks are not safe but only very rudimentary.
Even normal processes running on a normal installation can confuse
it. For a very long time, it considered the main systemd executable as
infected, and nobody did anything about that. Everywhere you could
meet Fedora users asking whether Fedora's official ISO images would be
infected. There's a README file included in the Fedora package, which
comments on the problem of "false positives". It's the user's
responsibility to verify what chkrootkit reports, because it's not
safe to rely on it. Running chkrootkit gives a false sense of
security. If it doesn't find anything (and rkhunter not either), you
could still be affected by something it cannot find (even an only
slightly modified rootkit) or by some other vulnerability it doesn't
even check for.

There are multiple layers of security. As a home user, better focus on
tools that protect your machine from intruders. Such as a firewall,
SELinux, security relevant updates, not running things as superuser
root, and deciding carefully what to install or execute on your machine.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux