posible rokkit ayuda para eliminarlo(solucionado)

Imagen de hikaro
0 puntos

acabo de instalar el rkhunter versión 1.3.8y meda esto al analizar a ver si me podéis echar un cable
[ Rootkit Hunter version 1.3.8 ]

Checking rkhunter data files...
Checking file mirrors.dat [ No update ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
~$ sudo rkhunter --checkall
[ Rootkit Hunter version 1.3.8 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/unhide.rb [ Warning ]
/usr/bin/mawk [ OK ]
/usr/bin/lwp-request [ OK ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/fsck [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/route [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/less [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/which [ OK ]
/bin/dash [ OK ]

[Press to continue]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
iLLogiC Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

[Press to continue]

Checking the network...

Performing checks on the network ports
Checking for backdoor ports [ None found ]
Checking for hidden ports [ Skipped ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ None found ]

Performing system configuration file checks
Checking for SSH configuration file [ Not found ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]

[Press to continue]

System checks summary
=====================

File properties checks...
Files checked: 132
Suspect files: 1

Rootkit checks...
Rootkits checked : 242
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 2 minutes and 34 seconds

All results have been written to the log file (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

Imagen de hikaro
+1
+1
-1

Según leí en un foro rkhunter tiende a provocar en scripts (Ruby, Python, Perl, bash, etc ..) en el directorio / usr / bin / usr / local / bin / bin o / sbin. Esto se debe a que los programas legítimos a menudo se intercambia con scripts, que son en el camino directo por lo que se ejecuta cuando un comando normal se ejecuta en un sistema comprometido. Sera esto ?

+1
+1
-1
Imagen de Goyo
+1
0
-1

¿Será esto qué? ¿Qué problema tienes?

+1
0
-1
Imagen de hikaro
+1
0
-1

el análisis de rkhunter me da esto
/usr/bin/unhide.rb [ Warning ]

+1
0
-1
Imagen de Goyo
+1
+1
-1

Y al final dice esto:

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

+1
+1
-1
Imagen de hikaro
+1
0
-1

como se comprueba?

+1
0
-1
Imagen de hikaro
+1
0
-1

y sale esto:
09:37:14] /usr/bin/unhide.rb [ Warning ]
[09:39:06] Checking for hidden files and directories [ Warning ]
[09:39:06] Warning: Hidden directory found: /etc/.java
[09:39:06] Warning: Hidden directory found: /dev/.udev
[09:39:06] Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
[09:39:15]
[09:39:15] Info: Test 'apps' disabled at users request.
[09:39:15]
[09:39:15] System checks summary
[09:39:15] =====================
[09:39:15]
[09:39:15] File properties checks...
[09:39:15] Files checked: 132
[09:39:15] Suspect files: 1
[09:39:15]
[09:39:15] Rootkit checks...
[09:39:15] Rootkits checked : 242
[09:39:15] Possible rootkits: 0
[09:39:15]
[09:39:15] Applications checks...
[09:39:15] All checks skipped

+1
0
-1
Imagen de Goyo
+1
0
-1

Pues no explica por qué el archivo es sospechoso y yo no tengo idea.
El archivo pertenece a un paquete que se llama igual y se instala automáticamente con rkhunter porque es una recomendación.

http://packages.ubuntu.com/search?searchon=contents&keywords=unhide.rb&m...
http://packages.ubuntu.com/quantal/unhide.rb

PS. Sí, puede ser un falso positivo debido a lo que decías antes. Es que no entendía la traducción automática. En todo caso parece ser que le ocurre a todo el mundo aunque no tengan un rootkit.

+1
0
-1
Imagen de hikaro
+1
0
-1

gracias por tu ayuda

+1
0
-1
Imagen de itacense
+1
0
-1

Tengo el mismo problema. Parece, por la información, que me han dado en este foro los compañeros, que es "normal" ese warning cuando se hace una nueva instalación. Tras leer la última respuesta de Goyo y las que ma han dado otros compañeros del foro (http://www.ubuntu-es.org/node/182859#comment-519732) me quedo más tranquilo.

+1
0
-1
Imagen de Jose Luis 1320
+1
-1
-1

¿por que tanta paranoia? ¿será por el asunto del "Secure Boot"? eso del Secure boot es una total farsa.

+1
-1
-1

"Yo sólo se que no se nada"
-Sócrates, filósofo griego.
-Normas del foro