Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?

Question

I just cleaned up my hacked CentOS server (due to not updating since versino 5.3). But still, "chkrootkit" says this:

Possible t0rn v8 \(or variation\) rootkit installed

/usr/lib/.libfipscheck.so.1.1.0.hmac 
/usr/lib/.libgcrypt.so.11.hmac 
/usr/lib/.libfipscheck.so.1.hmac 
/lib/.libcrypto.so.0.9.8e.hmac 
/lib/.libssl.so.0.9.8e.hmac 
/lib/.libssl.so.6.hmac 
/lib/.libcrypto.so.6.hmac

/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Text/Iconv/.packlist 
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/HTML-Tree/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Font/AFM/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/MLDBM/Sync/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/MLDBM/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/FreezeThaw/.packlist
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/Apache/ASP/.packlist 
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/HTML-Format/.packlist 

/usr/lib/gtk-2.0/immodules/.relocation-tag 
/usr/lib/python2.4/plat-linux2/.relocation-tag 
/usr/lib/python2.4/distutils/.relocation-tag 
/usr/lib/python2.4/config/.relocation-tag

Are these realy still infected?

Where did they come from? Who put them there? How do you know? If you can't answer that, since your system was compromised, it's best to wipe the whole thing and start over from scratch. — Michael Hampton, Oct 08 '12 at 17:40
For example, I've just reinstalled perl - however, "chkrootkit" still reports those files. — Danijel, Oct 08 '12 at 17:51
Nuke it? Of course not. I've fixed nearly all problems. Along with an OS upgrade - good enough for me. — Danijel, Oct 08 '12 at 21:56

score 2 · Answer 1 · answered Oct 08 '12 at 21:13

I don't believe at all in "cleaning up" a compromised server and consider the "nuke from orbit" option the only remedy.

Anyway, the only way to decide if these files are legitimate is to compare these files' checksums to those of known good files on a clean installation, but I think the fact that these library filenames are prepended by a . to hide them in a normal ls is more than enough reason to worry.

score 0 · Accepted Answer · answered Oct 08 '12 at 18:05

From www.chkrootkit.org:

"Q: chkrootkit is reporting some files and dirs as suspicious: .packlist, .cvsignore, etc. These are clearly false positives. Can't you ignore these?

A: Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs."

Could it be that "chkrootkit" just doesn't like .hmac, .packlist, and .relocation-tag files?

2 Answers2