Giuseppe Iuculano <giuse...@iuculano.it> writes: > I can't reproduce that, could you send me your full > /var/log/chkrootkit/log.today.raw please?
Attached. I suspect the bug is in the chkutmp executable itself rather than any of the scripts that subsequently process its output, and induced by long command lines. Incidentally, it also appears to be getting the PID wrong: $ ps lwwt 8 F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND 4 116 6539 1 20 0 16560 716 ? Ss+ tty8 0:00 daemon --foreground --respawn --attempts=20 --delay=10 --name=8-_-_var_-_log_-_exim4_-_mainlog --pidfile=/var/run/console-log/Debian-console-log/8-_-_var_-_log_-_exim4_-_mainlog --user Debian-console-log adm /usr/share/console-log/logpager -- less /var/log/exim4/mainlog 7000000 -- Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org) http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?...@monk.mit.edu
Possible RH-Sharpe rootkit installed: /usr/bin/slice /usr/lib/R/site-library/XML/exampleData/xinclude/.svn /usr/lib/R/site-library/Zelig/doc/.latex2html-init /usr/lib/R/site-library/MatchIt/doc/.latex2html-init /usr/lib/coq/ide/.coqide-gtk2rc /usr/lib/jvm/.java-gcj.jinfo /usr/lib/jvm/.java-6-openjdk.jinfo /usr/lib/jvm/java-1.5.0-gcj-4.4/.java-gcj-4.4.jinfo /usr/lib/sagemath/.pc /usr/lib/sagemath/.pc/system-rhome.patch/.timestamp /usr/lib/sagemath/.pc/.version /usr/lib/sagemath/devel/sage-main/c_lib/.sconsign.dblite /usr/lib/sagemath/devel/sage-main/.cython_hash /usr/lib/kaffe/.system /usr/lib/perl5/auto/Data/Float/.packlist /usr/lib/perl5/auto/Data/Entropy/.packlist /usr/lib/perl5/auto/Authen/DecHpwd/.packlist /usr/lib/perl5/auto/Authen/Passphrase/.packlist /usr/lib/perl5/auto/Crypt/MySQL/.packlist /usr/lib/perl5/auto/Scalar/String/.packlist /usr/lib/smlnj/bin/.run /usr/lib/smlnj/bin/.heap /usr/lib/smlnj/bin/.link-sml /usr/lib/smlnj/bin/.arch-n-opsys /usr/lib/smlnj/bin/.run-sml /usr/lib/smlnj/lib/c/.cm /usr/lib/smlnj/lib/c/memory/.cm /usr/lib/smlnj/lib/c/internals/.cm /usr/lib/smlnj/lib/cml/.cm /usr/lib/smlnj/lib/cml-lib/.cm /usr/lib/smlnj/lib/smlnj-tdp/.cm /usr/lib/smlnj/lib/SMLNJ-MLRISC/.cm /usr/lib/smlnj/lib/regexp-lib.cm/.cm /usr/lib/smlnj/lib/ml-lpt-lib.cm/.cm /usr/lib/smlnj/lib/ml-ulex-tool.cm/.cm /usr/lib/smlnj/lib/smlnj/cm/.cm /usr/lib/smlnj/lib/smlnj/.cm /usr/lib/smlnj/lib/smlnj/cmb/.cm /usr/lib/smlnj/lib/smlnj/init/.cm /usr/lib/smlnj/lib/smlnj/smlnj-lib/.cm /usr/lib/smlnj/lib/smlnj/MLRISC/.cm /usr/lib/smlnj/lib/smlnj/basis/.cm /usr/lib/smlnj/lib/smlnj/ml-yacc/.cm /usr/lib/smlnj/lib/smlnj/compiler/.cm /usr/lib/smlnj/lib/smlnj/viscomp/.cm /usr/lib/smlnj/lib/smlnj/installer/.cm /usr/lib/smlnj/lib/smlnj/internal/.cm /usr/lib/smlnj/lib/eXene.cm/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/PP/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/HTML/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/Util/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/Controls/.cm /usr/lib/smlnj/lib/noweb-tool.cm/.cm /usr/lib/smlnj/lib/grm-ext.cm/.cm /usr/lib/smlnj/lib/mllex-tool.cm/.cm /usr/lib/smlnj/lib/pgraph-util.cm/.cm /usr/lib/smlnj/lib/make-tool.cm/.cm /usr/lib/smlnj/lib/pgraph.cm/.cm /usr/lib/smlnj/lib/inet-lib.cm/.cm /usr/lib/smlnj/lib/dir-tool.cm/.cm /usr/lib/smlnj/lib/mlrisc-tools/.cm /usr/lib/smlnj/lib/reactive-lib.cm/.cm /usr/lib/smlnj/lib/ckit-lib.cm/.cm /usr/lib/smlnj/lib/mlburg-tool.cm/.cm /usr/lib/smlnj/lib/SMLNJ-ML-YACC-LIB/.cm /usr/lib/smlnj/lib/burg-ext.cm/.cm /usr/lib/smlnj/lib/lex-ext.cm/.cm /usr/lib/smlnj/lib/hash-cons-lib.cm/.cm /usr/lib/smlnj/lib/unix-lib.cm/.cm /usr/lib/smlnj/lib/nw-ext.cm/.cm /usr/lib/smlnj/lib/shell-tool.cm/.cm /usr/lib/smlnj/lib/ml-antlr-tool.cm/.cm /usr/lib/smlnj/lib/mlyacc-tool.cm/.cm /usr/lib/smlnj/lib/pickle-lib.cm/.cm /usr/lib/smlnj/lib/SMLNJ-BASIS/.cm /usr/lib/eclipse/.eclipseproduct /usr/lib/eclipse/plugins/org.eclipse.pde.build_3.4.1.R34x_v20080805/.options /usr/lib/eclipse/plugins/org.eclipse.ui.intro.universal_3.2.200.v20080508/.options /usr/lib/eclipse/plugins/org.eclipse.cdt.source_3.1.2.200805011412/src/org.eclipse.cdt.core_3.1.2.200805011412/.options /usr/lib/eclipse/plugins/org.eclipse.cdt.source_3.1.2.200805011412/src/org.eclipse.cdt.debug.mi.core_3.1.2.200805011412/.options /usr/lib/eclipse/plugins/org.eclipse.cdt.source_3.1.2.200805011412/src/org.eclipse.cdt.make.core_3.1.2.200805011412/.options /usr/lib/jruby1.2/lib/ruby/1.8/cgi/.document /usr/lib/jruby1.2/lib/ruby/1.8/rdoc/markup/.document /usr/lib/jruby1.2/lib/ruby/1.8/.document /usr/lib/jruby1.2/lib/ruby/1.8/xmlrpc/.document /usr/lib/xulrunner-1.9/.autoreg /usr/lib/iceweasel/.autoreg /usr/lib/ftpmirror/auto/Fan/DIR/.exists /usr/lib/ftpmirror/auto/Fan/FTP/.exists /usr/lib/ftpmirror/auto/Fan/MD5/.exists /usr/lib/ftpmirror/auto/Fan/TCP/.exists /usr/lib/ftpmirror/auto/Fan/Cool/.exists /usr/lib/ftpmirror/auto/Fan/Farm/.exists /usr/lib/ftpmirror/auto/Fan/HTTP/.exists /usr/lib/ftpmirror/auto/Fan/Scan/.exists /usr/lib/ftpmirror/auto/Fan/Attrib/.exists /usr/lib/ftpmirror/auto/Fan/Param/.exists /usr/lib/ftpmirror/auto/Fan/Usage/.exists /usr/lib/ftpmirror/auto/Fan/Loader/.exists /usr/lib/ftpmirror/auto/Fan/.exists /usr/lib/geomview/.geomview-gvclock /usr/lib/geomview/.geomview-animate /usr/lib/geomview/.geomview-clipboard /usr/lib/geomview/.geomview-drawbdy /usr/lib/geomview/.geomview-nose /usr/lib/GNUstep/Applications/HelpViewer.app/Resources/HelpViewer.help/.gwdir /usr/lib/GNUstep/Library/Cenon/Devices/din/.dir.tiff /usr/lib/GNUstep/Library/Cenon/Devices/hpgl/.dir.tiff /usr/lib/GNUstep/Library/Cenon/Devices/gerber/.dir.tiff /usr/lib/GNUstep/Library/Cenon/Devices/.dir.tiff /usr/lib/GNUstep/Library/Cenon/Projects/.dir.tiff /usr/lib/GNUstep/Library/Cenon/.dir.tiff /usr/lib/iceape/.autoreg /usr/lib/python2.4/site-packages/nevow/test/test_package/Foo/.foo.js /usr/lib/python2.4/site-packages/nevow/test/test_package/.test /usr/lib/python2.5/site-packages/nevow/test/test_package/Foo/.foo.js /usr/lib/python2.5/site-packages/nevow/test/test_package/.test /usr/lib/python2.5/site-packages/enthought/docs/html/tvtk/.buildinfo /usr/lib/python2.5/site-packages/enthought/docs/html/mayavi/.buildinfo /usr/lib/python2.5/site-packages/enthought/tvtk/html/.buildinfo /usr/lib/python2.5/site-packages/enthought/mayavi/html/.buildinfo /usr/lib/pymodules/python2.4/.path /usr/lib/pymodules/python2.4/werkzeug/debug/shared/.noinit /usr/lib/pymodules/python2.4/werkzeug/debug/templates/.noinit /usr/lib/pymodules/python2.4/twisted/plugins/.noinit /usr/lib/pymodules/python2.4/pylons/templates/default_project/+package+/templates/.distutils_placeholder /usr/lib/pymodules/python2.4/pylons/templates/minimal_project/+package+/templates/.distutils_placeholder /usr/lib/pymodules/python2.5/.path /usr/lib/pymodules/python2.5/werkzeug/debug/shared/.noinit /usr/lib/pymodules/python2.5/werkzeug/debug/templates/.noinit /usr/lib/pymodules/python2.5/twisted/plugins/.noinit /usr/lib/pymodules/python2.5/pylons/templates/default_project/+package+/templates/.distutils_placeholder /usr/lib/pymodules/python2.5/pylons/templates/minimal_project/+package+/templates/.distutils_placeholder /usr/lib/icedove/.autoreg /usr/lib/viewglob/.zshrc /lib/init/rw/.ramfs /usr/lib/R/site-library/XML/exampleData/xinclude/.svn /usr/lib/sagemath/.pc /usr/lib/smlnj/bin/.run /usr/lib/smlnj/bin/.heap /usr/lib/smlnj/lib/c/.cm /usr/lib/smlnj/lib/c/memory/.cm /usr/lib/smlnj/lib/c/internals/.cm /usr/lib/smlnj/lib/cml/.cm /usr/lib/smlnj/lib/cml-lib/.cm /usr/lib/smlnj/lib/smlnj-tdp/.cm /usr/lib/smlnj/lib/SMLNJ-MLRISC/.cm /usr/lib/smlnj/lib/regexp-lib.cm/.cm /usr/lib/smlnj/lib/ml-lpt-lib.cm/.cm /usr/lib/smlnj/lib/ml-ulex-tool.cm/.cm /usr/lib/smlnj/lib/smlnj/cm/.cm /usr/lib/smlnj/lib/smlnj/.cm /usr/lib/smlnj/lib/smlnj/cmb/.cm /usr/lib/smlnj/lib/smlnj/init/.cm /usr/lib/smlnj/lib/smlnj/smlnj-lib/.cm /usr/lib/smlnj/lib/smlnj/MLRISC/.cm /usr/lib/smlnj/lib/smlnj/basis/.cm /usr/lib/smlnj/lib/smlnj/ml-yacc/.cm /usr/lib/smlnj/lib/smlnj/compiler/.cm /usr/lib/smlnj/lib/smlnj/viscomp/.cm /usr/lib/smlnj/lib/smlnj/installer/.cm /usr/lib/smlnj/lib/smlnj/internal/.cm /usr/lib/smlnj/lib/eXene.cm/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/PP/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/HTML/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/Util/.cm /usr/lib/smlnj/lib/SMLNJ-LIB/Controls/.cm /usr/lib/smlnj/lib/noweb-tool.cm/.cm /usr/lib/smlnj/lib/grm-ext.cm/.cm /usr/lib/smlnj/lib/mllex-tool.cm/.cm /usr/lib/smlnj/lib/pgraph-util.cm/.cm /usr/lib/smlnj/lib/make-tool.cm/.cm /usr/lib/smlnj/lib/pgraph.cm/.cm /usr/lib/smlnj/lib/inet-lib.cm/.cm /usr/lib/smlnj/lib/dir-tool.cm/.cm /usr/lib/smlnj/lib/mlrisc-tools/.cm /usr/lib/smlnj/lib/reactive-lib.cm/.cm /usr/lib/smlnj/lib/ckit-lib.cm/.cm /usr/lib/smlnj/lib/mlburg-tool.cm/.cm /usr/lib/smlnj/lib/SMLNJ-ML-YACC-LIB/.cm /usr/lib/smlnj/lib/burg-ext.cm/.cm /usr/lib/smlnj/lib/lex-ext.cm/.cm /usr/lib/smlnj/lib/hash-cons-lib.cm/.cm /usr/lib/smlnj/lib/unix-lib.cm/.cm /usr/lib/smlnj/lib/nw-ext.cm/.cm /usr/lib/smlnj/lib/shell-tool.cm/.cm /usr/lib/smlnj/lib/ml-antlr-tool.cm/.cm /usr/lib/smlnj/lib/mlyacc-tool.cm/.cm /usr/lib/smlnj/lib/pickle-lib.cm/.cm /usr/lib/smlnj/lib/SMLNJ-BASIS/.cm /usr/lib/python2.4/site-packages/nevow/test/test_package/.test /usr/lib/python2.5/site-packages/nevow/test/test_package/.test 2 /usr/share/doc eth0: PACKET SNIFFER(/usr/sbin/dhcpd3[6708]) The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! 116 6520 tty9 daemon --foreground --respawn --attempts=20 --delay=10 --name=9-_-_var_-_log_-_syslog --pidfile=/var/run/console-log/Debian-console-log/9-_-_var_-_log_-_syslog --user Debian-console-log adm /usr/share/console-log/logpager -- less /var/log/syslog 7000000 ! 116 25903 tty8 daemon --foreground --respawn --attempts=20 --delay=10 --name=8-_-_var_-_log_-_exim4_-_mainlog --pidfile=/var/run/console-log/Debian-console-log/8-_-_var_-_log_-_exim4_-_mainlog --user Debian-console-log adm /usr/share/console-log/logpager -- less /var/log/e! 116 6586 pts/2 less -Pwless /var/log/syslog +F /var/log/syslog ! 116 6587 pts/3 less -Pwless /var/log/exim4/mainlog +F /var/log/exim4/mainlog ! root 9339 tty3 /sbin/getty 38400 tty3 ! root 16339 tty7 /usr/bin/X :0 vt7 -nolisten tcp -retro -auth /var/lib/xdm/authdir/authfiles/A:0-n6KJPj
