Rootkit found by rkhunter, chkrootkit?

Asked by Kent McNaughton on 2012-01-20

While building a new machine with a new hard drive, using the 10.10 Desktop (Linux version 2.6.35-31-generic, Ubuntu 2.6.35-31.63-generic, I included chkrootkit and rkhunter v.1.3.6 and ran them successfully after the install. (rkhunter showed a couple of warnings, that appeared to be false positives). Running both these programs on another machine with the 10.10 Desktop, had virtually identical, explainable results on Jan. 7th.

I updated the machine being built, ran chkrootkit and rkhunter on it, and shut it down on Jan. 7th. (The other machine is my working machine, so it's been kept online and has been getting updated.)

Yesterday, the 19th, I powered on the machine being built for the first time since the 7th and performed an update using Ubuntu Update Manager. After downloading the Tor Bundle from the Torproject and adding Duckduckgo, NoScript and Ghostery to the Firefox browser, using the Mozilla site, I ran "sudo chkrootkit", then ran "sudo rkhunter -c".

In /var/log/rkhunter.log there were many new warnings.

Ominously, "The file properties have changed:" for /bin/dmesg, /bin/login, /bin/more, /bin/mount, /bin/su, /usr/bin/dpkg, /usr/bin/dpkg-query, /usr/bin/last, /usr/bin/lastlog, /usr/bin/ldd, /usr/bin/logger, /usr/bin/newgrp, /usr/bin/passwd, /usr/bin/perl, /usr/bin/sudo, /usr/bin/whereis, /sbin/ifup, sbin/ifdown, /sbin/init, /sbin/runlevel, /sbin/sulogin, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /usr/sbin/grpck, /usr/sbin/nologin, /usr/sbin/pwck, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/sbin/vipw.

After this result, I ran "sudo rkhunter -c" on my working machine (which had also been updated). I don't see any of these "file properties have been changed" warnings in the log for this machine. Just the apparent false positives for /dev/shm/pulse-shm-blahblah, /etc/.java, /dev/udev, and /dev/.initramfs.

During the build, I tried to keep off the Internet except for updating the OS and downloading the above mentioned items. The machine in question is on a small home network, using a LAN switch as a connection--but even so, the connection was only during the build process.

I just now ran chkrootkit and got this result "The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner- /usr/lib/firefox-3.6.24/.autoreg". There are no log files in /var/log/chkrootkit. Hmmm, I may have missed this warning if it was in the chkrootkit output earlier.

I'm strongly thinking I need to reinstall, but I wonder if there is some other idea as to why this ominous report from rkhunter and the "suspicious files" from chkrootkit.

Question information

English Edit question
Ubuntu rkhunter Edit question
No assignee Edit question
Solved by:
Kent McNaughton
Last query:
Last reply:

I would reinstall personally.

Thank you actionparsnip. After looking about, and finding nothing, that's exactly what I did. Reinstalled.