Help! Was I hacked?
Rootkit Hunter 1.0.9 is running
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/sbin/depmod [ BAD ]
/sbin/ifconfig [ OK ]
/sbin/init [ BAD ]
/sbin/insmod [ BAD ]
/sbin/ip [ BAD ]
/sbin/ksyms [ BAD ]
/sbin/lsmod [ BAD ]
/sbin/modinfo [ BAD ]
/sbin/modprobe [ BAD ]
/sbin/rmmod [ BAD ]
/bin/cat [ BAD ]
/bin/chown [ BAD ]
/bin/df [ BAD ]
/bin/echo [ BAD ]
/bin/egrep [ BAD ]
/bin/fgrep [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ BAD ]
/bin/mount [ BAD ]
/bin/netstat [ OK ]
/bin/ps [ BAD ]
/bin/sort [ BAD ]
/bin/su [ BAD ]
/usr/bin/chattr [ BAD ]
/usr/bin/file [ BAD ]
/usr/bin/find [ OK ]
/usr/bin/kill [ BAD ]
/usr/bin/last [ BAD ]
/usr/bin/lastlog [ BAD ]
/usr/bin/less [ BAD ]
/usr/bin/logger [ BAD ]
/usr/bin/lsattr [ BAD ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ BAD ]
/usr/bin/pstree [ BAD ]
/usr/bin/sha1sum [ BAD ]
/usr/bin/size [ BAD ]
/usr/bin/slocate [ BAD ]
/usr/bin/strace [ BAD ]
/usr/bin/strings [ BAD ]
/usr/bin/test [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/whereis [ BAD ]
/usr/bin/which [ BAD ]
/usr/bin/who [ BAD ]
/usr/sbin/chroot [ BAD ]
/usr/sbin/kudzu [ BAD ]
/usr/sbin/useradd [ BAD ]
/usr/sbin/vipw [ BAD ]
/usr/sbin/xinetd [ OK ]
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit '****`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is xxxxxxx
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
...........
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]
* Check: Events and Logging
Search for syslog configuration... found
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 79
Incorrect MD5 checksums: 50
File scan
Scanned files: 307
Possible infected files: 0
Possible rootkits:
Scanning took 48 seconds
Determining OS... Ready
Checking binaries
* Selftests
Strings (command) [ OK ]
* System tools
Info: prelinked files found
Performing 'known good' check...
/sbin/depmod [ BAD ]
/sbin/ifconfig [ OK ]
/sbin/init [ BAD ]
/sbin/insmod [ BAD ]
/sbin/ip [ BAD ]
/sbin/ksyms [ BAD ]
/sbin/lsmod [ BAD ]
/sbin/modinfo [ BAD ]
/sbin/modprobe [ BAD ]
/sbin/rmmod [ BAD ]
/bin/cat [ BAD ]
/bin/chown [ BAD ]
/bin/df [ BAD ]
/bin/echo [ BAD ]
/bin/egrep [ BAD ]
/bin/fgrep [ BAD ]
/bin/grep [ BAD ]
/bin/kill [ BAD ]
/bin/login [ BAD ]
/bin/ls [ BAD ]
/bin/more [ BAD ]
/bin/mount [ BAD ]
/bin/netstat [ OK ]
/bin/ps [ BAD ]
/bin/sort [ BAD ]
/bin/su [ BAD ]
/usr/bin/chattr [ BAD ]
/usr/bin/file [ BAD ]
/usr/bin/find [ OK ]
/usr/bin/kill [ BAD ]
/usr/bin/last [ BAD ]
/usr/bin/lastlog [ BAD ]
/usr/bin/less [ BAD ]
/usr/bin/logger [ BAD ]
/usr/bin/lsattr [ BAD ]
/usr/bin/md5sum [ BAD ]
/usr/bin/passwd [ BAD ]
/usr/bin/pstree [ BAD ]
/usr/bin/sha1sum [ BAD ]
/usr/bin/size [ BAD ]
/usr/bin/slocate [ BAD ]
/usr/bin/strace [ BAD ]
/usr/bin/strings [ BAD ]
/usr/bin/test [ BAD ]
/usr/bin/top [ BAD ]
/usr/bin/w [ BAD ]
/usr/bin/whereis [ BAD ]
/usr/bin/which [ BAD ]
/usr/bin/who [ BAD ]
/usr/sbin/chroot [ BAD ]
/usr/sbin/kudzu [ BAD ]
/usr/sbin/useradd [ BAD ]
/usr/sbin/vipw [ BAD ]
/usr/sbin/xinetd [ OK ]
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit '****`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]
* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Sniffer logs [ OK ]
* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
Test 1 [ Clean ]
Test 2 [ Clean ]
Test 3 [ Clean ]
Checking /etc/inetd.conf [ Clean ]
* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
* OS dependant tests
Linux
Checking loaded kernel modules... [ OK ]
Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]
* Interfaces
Scanning for promiscuous interfaces [ OK ]
System checks
* Allround tests
Checking hostname... Found. Hostname is xxxxxxx
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking rc.local file...
- /etc/rc.local [ OK ]
- /etc/rc.d/rc.local [ OK ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
Checking rc.d files...
Processing........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
........................................
...........
Result rc.d files check [ OK ]
Checking history files
Bourne Shell [ OK ]
* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ OK (Only SSH2 allowed) ]
* Check: Events and Logging
Search for syslog configuration... found
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
---------------------------- Scan results ----------------------------
MD5
MD5 compared: 79
Incorrect MD5 checksums: 50
File scan
Scanned files: 307
Possible infected files: 0
Possible rootkits:
Scanning took 48 seconds
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-
thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/
Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/
5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-
linux-thread-multi/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/
ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/
SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MIME-
tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.packlist /usr/
lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/
site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/
i386-linux-thread-multi/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/
FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/
SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/
RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/
ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/
IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/
OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/
5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/
i386-linux-thread-multi/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/
auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/
SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packlist /
usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packlist /usr/lib/
perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.packlist /usr/lib/
perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RRDp/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RRDs/.packlist /usr/lib/perl5/site_perl/5.8.1/
i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/
lib/perl5/5.8.3/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-
multi/auto/Net/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
/usr/lib/php/.registry
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for HKRK rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero
nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Digest/.packlist /usr/lib/perl5/5.8.1/i386-linux-
thread-multi/auto/File/Spec/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/
Storable/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.1/i386-linux-thread-multi/auto/Net/.packlist /usr/lib/perl5/
5.8.1/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-
linux-thread-multi/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Archive/Zip/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Net/Telnet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Term/
ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Mail/
SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO-stringy/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MIME-
tools/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/.packlist
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/Multiplex/.packlist /usr/
lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tee/.packlist /usr/lib/perl5/
site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.1/
i386-linux-thread-multi/auto/IO/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
multi/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/
FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/HTML/
SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Parse/
RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/
ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tie/
IxHash/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/
OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/
5.8.1/i386-linux-thread-multi/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.1/
i386-linux-thread-multi/auto/perl-ldap/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-
multi/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/
auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Crypt/
SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/
GD/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph/.packlist /
usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SOAP/Lite/.packlist /usr/lib/
perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Tree/MultiNode/.packlist /usr/lib/
perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RRDp/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/RRDs/.packlist /usr/lib/perl5/site_perl/5.8.1/
i386-linux-thread-multi/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.1/i386-linux-
thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/MIME/Base64/.packlist /usr/
lib/perl5/5.8.3/i386-linux-thread-multi/auto/Storable/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-multi/auto/CGI/.packlist /usr/lib/perl5/5.8.3/i386-linux-thread-
multi/auto/Net/.packlist /usr/lib/php/.registry /usr/lib/php/.lock /usr/lib/php/.filemap
/usr/lib/php/.registry
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for HKRK rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... Warning: `//root/.mysql_history' file size is zero
nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
When I run "nmap localhost," I get the following results:
Starting nmap 3.48 at 2004-05-27 09:24 MDT
Interesting ports on localhost (127.0.0.1):
(The 1639 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
783/tcp open hp-alarm-mgr
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
6666/tcp open irc-serv
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 3.048 seconds
Interesting ports on localhost (127.0.0.1):
(The 1639 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
465/tcp open smtps
783/tcp open hp-alarm-mgr
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
6666/tcp open irc-serv
10000/tcp open snet-sensor-mgmt
Nmap run completed -- 1 IP address (1 host up) scanned in 3.048 seconds
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2083,2087,2096".
How are all those ports open?Please help me find what is wrong. Is it just because I updated my server? I upgrade other fedora servers with up2date. They don't show [BAD] in rootkithunter results.
Much thanks.
