Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 03/03/2015, à 18:40

Geronimo12

aide rootkit infection vers

Bonjour,

je viens de faire ce qui est affiché ici : http://doc.ubuntu-fr.org/rootkit

avec Rkhunter, j'ai eu ceci :

Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
Warning: User 'postfix' has been added to the passwd file.
Warning: Group 'postfix' has been added to the group file.
Warning: Group 'postdrop' has been added to the group file.
Warning: Suspicious file types found in /dev:
         /dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: /etc/.java: directory 
Warning: Hidden directory found: /dev/.udev: directory 
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs' 
ixblanco@ixblanco-K53U:~$ 
ixblanco@ixblanco-K53U:~$ sudo rkhunter --propupd
[ Rootkit Hunter version 1.4.0 ]
File updated: searched for 168 files, found 135

avec chkrootkit :

j'ai eu ceci :

sudo apt-get install chkrootkit
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances       
Lecture des informations d'état... Fait
Les NOUVEAUX paquets suivants seront installés :
  chkrootkit
0 mis à jour, 1 nouvellement installés, 0 à enlever et 1 non mis à jour.
Il est nécessaire de prendre 319 ko dans les archives.
Après cette opération, 1 054 ko d'espace disque supplémentaires seront utilisés.
Réception de : 1 http://fr.archive.ubuntu.com/ubuntu/ trusty-updates/main chkrootkit amd64 0.49-4.1ubuntu1.14.04.1 [319 kB]
319 ko réceptionnés en 0s (999 ko/s)
Préconfiguration des paquets...
Sélection du paquet chkrootkit précédemment désélectionné.
(Lecture de la base de données... 198735 fichiers et répertoires déjà installés.)
Préparation du dépaquetage de .../chkrootkit_0.49-4.1ubuntu1.14.04.1_amd64.deb ...
Dépaquetage de chkrootkit (0.49-4.1ubuntu1.14.04.1) ...
Traitement des actions différées (« triggers ») pour man-db (2.6.7.1-1ubuntu1) ...
Paramétrage de chkrootkit (0.49-4.1ubuntu1.14.04.1) ...
ixblanco@ixblanco-K53U:~$  sudo chkrootkit -q

/usr/lib/python2.7/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/jvm/.java-1.6.0-openjdk-amd64.jinfo

Warning: /sbin/init INFECTED
eth0: PACKET SNIFFER(/sbin/dhclient[1100])
user ixblanco deleted or never logged from lastlog!
 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         1152 tty7   /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

pouvez vous m'aider ?

j'ai bien envie de faire les autres (lynis, tiger ) mais je crois que là je suis infecté ? non ?

Dernière modification par Geronimo12 (Le 03/03/2015, à 19:33)


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#2 Le 03/03/2015, à 21:26

J5012

Re : aide rootkit infection vers

donne le retour de :

cat /etc/rkhunter.conf

http://doc.ubuntu-fr.org/rkhunter

Hors ligne

#3 Le 03/03/2015, à 22:45

Geronimo12

Re : aide rootkit infection vers

merci, voici :

#
#ALLOWHIDDENDIR="/etc/.java"
#ALLOWHIDDENDIR="/dev/.static"
#ALLOWHIDDENDIR="/dev/.SRC-unix"
#ALLOWHIDDENDIR="/etc/.etckeeper"

#
# Allow the specified hidden files to be whitelisted.
#
# This is a space-separated list of filenames. The option may
# be specified more than once. The option may use wildcard
# characters.
# 
#ALLOWHIDDENFILE="/etc/.java"
#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz"
#ALLOWHIDDENFILE="/etc/.pwd.lock"
#ALLOWHIDDENFILE="/etc/.init.state"
#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac"
#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac"
#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac"
#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac"
#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac"
#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac"
#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac"
#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz"
#ALLOWHIDDENFILE="/etc/.gitignore"
#ALLOWHIDDENFILE="/etc/.bzrignore"

#
# Allow the specified processes to use deleted files. The
# process name may be followed by a colon-separated list of
# full pathnames. The process will then only be whitelisted
# if it is using one of the given files. For example:
#
#     ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz"
#
# This is a space-separated list of process names. The option
# may be specified more than once. The option may use wildcard
# characters, but only in the file names.
#
#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc"
#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2"
#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*"
#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin"
#ALLOWPROCDELFILE="/usr/bin/file-roller"

#
# Allow the specified processes to listen on any network interface.
#
# This is a space-separated list of process names. The option
# may be specified more than once.
#
#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd"
#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump"
#ALLOWPROCLISTEN="/usr/sbin/snort-plain"

#
# Allow the specified network interfaces to be in promiscuous mode.
#
# This is a space-separated list of interface names. The option may
# be specified more than once.
#
#ALLOWPROMISCIF="eth0"

#
# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files.
# The two allowed options are: THOROUGH or LAZY.
# If commented out we do a THOROUGH scan which will increase the runtime.
# Even though this adds to the running time it is highly recommended to
# leave it like this.
#
#SCAN_MODE_DEV=THOROUGH

#
# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to
# perform a basic check, or a more thorough check. If the option is set to 0,
# then a basic check is performed. If it is set to 1, then all the directries
# in the /etc and /usr directories are scanned. The default value is 0. Users
# should note that setting this option to 1 will cause the test to take longer
# to complete.
#
PHALANX2_DIRTEST=0

#
# Allow the specified files to be present in the /dev directory,
# and not regarded as suspicious.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once. The option may use wildcard
# characters.
#
#ALLOWDEVFILE="/dev/shm/pulse-shm-*"
#ALLOWDEVFILE="/dev/shm/sem.ADBE_*"

#
# This setting tells rkhunter where the inetd configuration
# file is located.
#
#INETD_CONF_PATH=/etc/inetd.conf

#
# Allow the following enabled inetd services.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
# For non-Solaris users the simple service name should be used.
# For example:
#
#     INETD_ALLOWED_SVC=echo
#
# For Solaris 9 users the simple service name should also be used, but
# if it is an RPC service, then the executable pathname should be used.
# For example:
#
#     INETD_ALLOWED_SVC=imaps
#     INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd"
#
# For Solaris 10 users the service/FMRI name should be used. For example:
#
#     INETD_ALLOWED_SVC=/network/rpc/meta
#     INETD_ALLOWED_SVC=/network/rpc/metamed
#     INETD_ALLOWED_SVC=/application/font/stfsloader
#     INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord
#
#INETD_ALLOWED_SVC=echo

#
# This setting tells rkhunter where the xinetd configuration
# file is located.
#
#XINETD_CONF_PATH=/etc/xinetd.conf

#
# Allow the following enabled xinetd services. Whilst it would be
# nice to use the service names themselves, at the time of testing
# we only have the pathname available. As such, these entries are
# the xinetd file pathnames.
#
# This is a space-separated list of service names. The option may
# be specified more than once.
#
#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo

#
# This option tells rkhunter the local system startup file pathnames.
# The directories will be searched for files. By default rkhunter
# will use certain filenames and directories. If the option is set
# to 'none', then certain tests will be skipped.
#
# This is a space-separated list of file and directory pathnames.
# The option may be specified more than once. The option may use
# wildcard characters.
#
#STARTUP_PATHS="/etc/init.d /etc/rc.local"

#
# This setting tells rkhunter the pathname to the file containing the
# user account passwords. This setting will be worked out by rkhunter,
# and so should not usually need to be set. Users of TCB shadow files
# should not set this option.
#
#PASSWORD_FILE=/etc/shadow

#
# Allow the following accounts to be root equivalent. These accounts
# will have a UID value of zero. The 'root' account does not need to
# be listed as it is automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
# NOTE: For *BSD systems you will probably need to use this option
# for the 'toor' account.
#
#UID0_ACCOUNTS="toor rooty sashroot"

#
# Allow the following accounts to have no password. NIS/YP entries do
# not need to be listed as they are automatically whitelisted.
#
# This is a space-separated list of account names. The option may
# be specified more than once.
#
#PWDLESS_ACCOUNTS="abc"

#
# This setting tells rkhunter the pathname to the syslog configuration
# file. This setting will be worked out by rkhunter, and so should not
# usually need to be set. A value of 'NONE' can be used to indicate
# that there is no configuration file, but that the syslog daemon process
# may be running.
#
# This is a space-separated list of pathnames. The option may
# be specified more than once.
#
#SYSLOG_CONFIG_FILE=/etc/syslog.conf

#
# This option permits the use of syslog remote logging.
#
ALLOW_SYSLOG_REMOTE_LOGGING=0

#
# Allow the following applications, or a specific version of an application,
# to be whitelisted. This option may be specified more than once, and is a
# space-separated list consisting of the application names. If a specific
# version is to be whitelisted, then the name must be followed by a colon
# and then the version number. For example:
#
#     APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29"
#
# Note above that for the Apache web server, the name 'httpd' is used.
#
#APP_WHITELIST=""

# 
# Scan for suspicious files in directories containing temporary files and
# directories posing a relatively higher risk due to user write access.
# Please do not enable by default as suspscan is CPU and I/O intensive and prone to
# producing false positives. Do review all settings before usage.
# Also be aware that running suspscan in combination with verbose logging on,
# RKH's default, will show all ignored files.
# Please consider adding all directories the user the (web)server runs as has 
# write access to including the document root (example: "/var/www") and log
# directories (example: "/var/log/httpd"). 
#
# This is a space-separated list of directory pathnames.
# The option may be specified more than once.
#
#SUSPSCAN_DIRS="/tmp /var/tmp"

#
# Directory for temporary files. A memory-based one is better (faster).
# Do not use a directory name that is listed in SUSPSCAN_DIRS.
# Please make sure you have a tempfs mounted and the directory exists.
#
SUSPSCAN_TEMP=/dev/shm

#
# Maximum filesize in bytes. Files larger than this will not be inspected.
# Do make sure you have enough space left in your temporary files directory.
#
SUSPSCAN_MAXSIZE=10240000

#
# Score threshold. Below this value no hits will be reported.
# A value of "200" seems "good" after testing on malware. Please adjust
# locally if necessary. 
#
SUSPSCAN_THRESH=200

#
# The following option can be used to whitelist network ports which
# are known to have been used by malware. This option may be specified
# more than once. The option is a space-separated list of one or more
# of four types of whitelisting. These are:
#
#   1) a 'protocol:port' pair       (e.g. TCP:25)
#   2) a pathname to an executable  (e.g. /usr/sbin/squid)
#   3) a combined pathname, protocol and port
#                                   (e.g. /usr/sbin/squid:TCP:3801)
#   4) an asterisk ('*')
#
# Only the UDP or TCP protocol may be specified, and the port number
# must be between 1 and 65535 inclusive.
#
# The asterisk can be used to indicate that any executable which rkhunter
# can locate as a command, is whitelisted. (See BINDIR in this file.)
#
# For example:
#
#     PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011"
#
# NOTE: In order to whitelist a pathname, or use the asterisk option,
# the 'lsof' command must be present.
#
#PORT_WHITELIST=""

#
# The following option can be used to tell rkhunter where the operating
# system 'release' file is located. This file contains information
# specifying the current O/S version. RKH will store this information
# itself, and check to see if it has changed between each run. If it has
# changed, then the user is warned that RKH may issue warning messages
# until RKH has been run with the '--propupd' option.
#
# Since the contents of the file vary according to the O/S distribution,
# RKH will perform different actions when it detects the file itself. As
# such, this option should not be set unless necessary. If this option is
# specified, then RKH will assume the O/S release information is on the
# first non-blank line of the file.
#
#OS_VERSION_FILE="/etc/debian_version"

#
# The following two options can be used to whitelist files and directories
# that would normally be flagged with a warning during the various rootkit
# and malware checks. If the file or directory name contains a space, then
# the percent character ('%') must be used instead. Only existing files and
# directories can be specified, and these must be full pathnames not links.
#
# Additionally, the RTKT_FILE_WHITELIST option may include a string after the
# file name (separated by a colon). This will then only whitelist that string
# in that file (as part of the malware checks). For example:
#
#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm"
#
# If the option list includes the filename on its own as well, then the file
# will be whitelisted from rootkit checks of the files existence, but still
# only the specific string within the file will be whitelisted. For example:
#
#     RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local"
#
# To whitelist a file from the existence checks, but not from the strings
# checks, then include the filename on its own and on its own but with
# just a colon appended. For example:
#
#     RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:"
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# These are space-separated lists of file and directory pathnames.
# The options may be specified more than once.
#
#RTKT_DIR_WHITELIST=""
#RTKT_FILE_WHITELIST=""

#
# The following option can be used to whitelist shared library files that would
# normally be flagged with a warning during the preloaded shared library check.
# These library pathnames usually exist in the '/etc/ld.so.preload' file or in
# the LD_PRELOAD environment variable.
#
# NOTE: It is recommended that if you whitelist any files, then you include
# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS
# configuration option.
#
# This is a space-separated list of library pathnames.
# The option may be specified more than once.
#
#SHARED_LIB_WHITELIST="/lib/snoopy.so"

#
# To force rkhunter to use the supplied script for the 'stat' or 'readlink'
# command, then the following two options can be used. The value must be
# set to 'BUILTIN'.
#
# NOTE: IRIX users will probably need to enable STAT_CMD.
#
#STAT_CMD=BUILTIN
#READLINK_CMD=BUILTIN

#
# In the file properties test any modification date/time is displayed as the
# number of epoch seconds. Rkhunter will try and use the 'date' command, or
# failing that the 'perl' command, to display the date and time in a
# human-readable format as well. This option may be used if some other command
# should be used instead. The given command must understand the '%s' and
# 'seconds ago' options found in the GNU date command.
#
# A value of 'NONE' may be used to request that only the epoch seconds be shown.
# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if
# it is present.
#
#EPOCH_DATE_CMD=""

#
# This setting tells rkhunter the directory containing the available
# Linux kernel modules. This setting will be worked out by rkhunter,
# and so should not usually need to be set.
#
#MODULES_DIR=""

#
# The following option can be set to a command which rkhunter will use when
# downloading files from the Internet - that is, when the '--update' or
# '--versioncheck' option is used. The command can take options.
#
# This allows the user to use a command other than the one automatically
# selected by rkhunter, but still one which it already knows about.
# For example:
#
#     WEB_CMD=curl
#
# Alternatively, the user may specify a completely new command. However, note
# that rkhunter expects the downloaded file to be written to stdout, and that
# everything written to stderr is ignored. For example:
#
#     WEB_CMD="/opt/bin/dlfile --timeout 5m -q"
#
# *BSD users may want to use the 'ftp' command, provided that it supports
# the HTTP protocol:
#
#     WEB_CMD="ftp -o -"
#
#WEB_CMD=""

#
# Set the following option to 0 if you do not want to receive a warning if
# any O/S information has changed since the last run of 'rkhunter --propupd'.
# The warnings occur during the file properties check. The default is to
# issue a warning if something has changed.
#
#WARN_ON_OS_CHANGE=1

#
# Set the following option to 1 if you want rkhunter to automatically run
# a file properties update ('--propupd') if the O/S has changed. Detection
# of an O/S change occurs during the file properties check. The default is
# not to do an automatic update.
#
# WARNING: Only set this option if you are sure that the update will work
# correctly. That is, that the database directory is writeable, that a valid
# hash function is available, and so on. This can usually be checked simply
# by running 'rkhunter --propupd' at least once.
#
#UPDT_ON_OS_CHANGE=0

#
# Set the following option to 1 if locking is to be used when rkhunter runs.
# The lock is set just before logging starts, and is removed when the program
# ends. It is used to prevent items such as the log file, and the file
# properties file, from becoming corrupted if rkhunter is running more than
# once. The mechanism used is to simply create a lock file in the TMPDIR
# directory. If the lock file already exists, because rkhunter is already
# running, then the current process simply loops around sleeping for 10 seconds
# and then retrying the lock.
#
# The default is not to use locking.
#
USE_LOCKING=0

#
# If locking is used, then rkhunter may have to wait to get the lock file.
# This option sets the total amount of time, in seconds, that rkhunter should
# wait. It will retry the lock every 10 seconds, until either it obtains the
# lock or the timeout value has been reached. If no value is set, then a
# default of 300 seconds (5 minutes) is used.
#
LOCK_TIMEOUT=300

#
# If locking is used, then rkhunter may be doing nothing for some time if it
# has to wait for the lock. Some simple messages are echo'd to the users screen
# to let them know that rkhunter is waiting for the lock. Set this option to 0
# if the messages are not to be displayed. The default is to show them.
#
SHOW_LOCK_MSGS=1

#
# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function
# will search (on a per rootkit basis) for filenames in all of the directories (as defined
# by the result of running 'find / -xdev'). While still not optimal, as it 
# still searches for only file names as opposed to file contents, this is one step away
# from the rigidity of searching in known (evidence) or default (installation) locations.
#
# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT.
#
# You should only activate this feature as part of a more thorough investigation which
# should be based on relevant best practices and procedures. 
#
# Enabling this feature implies you have the knowledge to interpret the results properly. 
#
#SCANROOTKITMODE=THOROUGH

#
# The following option can be set to the name(s) of the tests the 'unhide' command is
# to use. In order to maintain compatibility with older versions of 'unhide', this
# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but
# will only take effect when they are seen. The test names are a space-separated list,
# and will be executed in the order given.
#
#UNHIDE_TESTS="sys"

#
# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it
# is possible to disable the execution of one of the programs if desired. By default
# rkhunter will look for both programs, and execute each of them as they are found.
# If the value of this option is 0, then both programs will be executed if they are
# present. A value of 1 will disable execution of the C 'unhide' program, and a value
# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable
# both programs, then disable the 'hidden_procs' test.
#
DISABLE_UNHIDE=1

INSTALLDIR="/usr"

MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#4 Le 03/03/2015, à 22:46

Geronimo12

Re : aide rootkit infection vers

et mon scan avec clamav a donné ceci :

---------- SCAN SUMMARY -----------
Known viruses: 3756234
Engine version: 0.98.6
Scanned directories: 30747
Scanned files: 163748
Infected files: 44
Total errors: 18726
Data scanned: 21860.10 MB
Data read: 275836.97 MB (ratio 0.08:1)
Time: 9745.212 sec (162 m 25 s)


mais je ne sais pas quoi faire avec ces résultats ???


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#5 Le 04/03/2015, à 09:14

tiramiseb

Re : aide rootkit infection vers

Salut,

Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
Warning: User 'postfix' has been added to the passwd file.
Warning: Group 'postfix' has been added to the group file.
Warning: Group 'postdrop' has been added to the group file.
Warning: Suspicious file types found in /dev:
         /dev/.udev/rules.d/root.rules: ASCII text
Warning: Hidden directory found: /etc/.java: directory 
Warning: Hidden directory found: /dev/.udev: directory 
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs' 

Toutes ces choses sont normales, absolument rien d'inquiétant.

rkhunter ne donne pas que des "vrais positifs", il te remonte des alertes que tu est censé être capable de comprendre si tu utilises ce logiciel. En l'occurrence, toutes ces alertes ne concernent que des comportements normaux du système. rkhunter n'est pas capable de dire ce qui est normal ou non.

Warning: /sbin/init INFECTED

Là je me demande ce qu'il veut dire. Peut-être simplement que chkrootkit ne comprend pas ce qui est normal ou non.
Que donne la commande suivante ?

file /sbin/init
eth0: PACKET SNIFFER(/sbin/dhclient[1100])

Meuh non, ce n'est pas un sniffeur, c'est ton client DHCP. Fausse alerte.

user ixblanco deleted or never logged from lastlog!

Qui est cet utilisateur ixblanco ? Ça te dit quelque chose ? Ce que ce message dit, c'est qu'il y a cet utilisateur sur ton ordinateur et qu'il semble ne jamais s'être connecté (ce qui peut vouloir dire que quelqu'un a pu essayer d'effacer ses traces).

 The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         1152 tty7   /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

Ouais enfin le tty7 de root c'est normal, c'est ton environnement graphique. Fausse alerte.

------------

En bref, ces logiciels ne sont pas des outils pour les "utilisateurs finaux" car ils ne font pas la différence entre des situations normales et des intrusions : ils donnent juste ce qui peut ressembler à des alertes, à toi ensuite de trier le vrai du faux.

Hors ligne

#6 Le 04/03/2015, à 09:54

Geronimo12

Re : aide rootkit infection vers

merci beaucoup de ta réponse super claire Tiramiseb,

voici la réponse à la commande : file /sbin/init
/sbin/init: ELF 64-bit LSB  shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=7a4c688d009fc1f06ffc692f5f42ab09e68582b2, stripped


pour ixblanco, c'est mon nom d'utilisateur sur lequel je me connecte toujours ??? je ne comprend pas ??


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#7 Le 04/03/2015, à 10:02

tiramiseb

Re : aide rootkit infection vers

/sbin/init: ELF 64-bit LSB  shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=7a4c688d009fc1f06ffc692f5f42ab09e68582b2, stripped

Ça semble correct.

pour ixblanco, c'est mon nom d'utilisateur sur lequel je me connecte toujours ??? je ne comprend pas ??

Que donne la commande suivante ?

last ixblanco

Hors ligne

#8 Le 04/03/2015, à 10:17

Geronimo12

Re : aide rootkit infection vers

voici la réponse :

ixblanco pts/0        :0               Wed Mar  4 09:52   still logged in   
ixblanco :0           :0               Wed Mar  4 09:35   still logged in   
ixblanco :0           :0               Wed Mar  4 08:51 - down   (00:06)    
ixblanco :0           :0               Tue Mar  3 23:01 - down   (00:15)    
ixblanco pts/11       :0               Tue Mar  3 18:18 - 18:18  (00:00)    
ixblanco pts/0        :0               Tue Mar  3 18:16 - 22:55  (04:38)    
ixblanco :0           :0               Tue Mar  3 18:07 - down   (04:49)    
ixblanco :0           :0               Tue Mar  3 10:24 - down   (00:16)    
ixblanco :0           :0               Tue Mar  3 09:11 - down   (01:08)    
ixblanco :0           :0               Mon Mar  2 22:24 - down   (00:46)    
ixblanco :0           :0               Mon Mar  2 14:28 - down   (03:53)    
ixblanco pts/6        :0               Mon Mar  2 13:59 - down   (00:27)    
ixblanco pts/6        :0               Mon Mar  2 13:03 - 13:50  (00:46)    

wtmp begins Mon Mar  2 13:03:37 2015

et pour les résultats de l'antivirus clamav, c'est bon pour toi ?


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#9 Le 04/03/2015, à 14:52

tiramiseb

Re : aide rootkit infection vers

voici la réponse

Bah je vois pas ce qu'il a fumé, chkrootkit.

pour les résultats de l'antivirus clamav, c'est bon pour toi ?

Ben il dit que tu as 44 fichiers infectés, mais tu ne montres pas lesquels. Il n'en a pas dit plus ?

N'ayant pas utilisé ClamAV depuis environ 10 ans, je ne saurais pas te guider précisément.

Hors ligne

#10 Le 04/03/2015, à 16:28

Geronimo12

Re : aide rootkit infection vers

non je t'ai mis tout ce qu'il a affiché... neutral


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#11 Le 04/03/2015, à 22:21

J5012

Re : aide rootkit infection vers

pour eviter les fausses alertes, rkhunter doit etre configuré correctement, lis la doc en #2
chkrootkit se fonde sur une base de donnees de comparaison de hash, la base de donnees doit abolument etre à jour

comment as-tu installé clamav ?
qu'as-tu demandé de scanner ? il est possible que les 44 soient des applications w ...

Hors ligne

#12 Le 05/03/2015, à 09:51

Geronimo12

Re : aide rootkit infection vers

merci,
bizarre je n'ai pas de partition windosienne ;-)

j'ai installé clamav en ligne de commande ici :
http://doc.ubuntu-fr.org/clamav

puis après j'ai vu qu'il y avait une interface graphique mais seulement après le scan complet du disque dur...

ya peut-être moyen de récupérer l'historique en ligne de commande mais avec l'interface graphique, l'historique est vide pour le coup...

Dernière modification par Geronimo12 (Le 05/03/2015, à 21:14)


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#13 Le 05/03/2015, à 19:46

J5012

Re : aide rootkit infection vers

je n'ai pas non plus de partition w ... et ca n'empeche pas d'en telecharger (surtout à l'insu de ton plein gre)

et si tu refaisais le clamscan en varloggant cette fois-ci ?

Hors ligne

#14 Le 05/03/2015, à 20:15

tiramiseb

Re : aide rootkit infection vers

ca n'empeche pas d'en telecharger (surtout à l'insu de ton plein gre)

Tu télécharges des choses à l'insu de ton plein gré, toi ?

Hors ligne

#15 Le 05/03/2015, à 21:12

Geronimo12

Re : aide rootkit infection vers

oui je torr... pas mal ;-)

que signifie en varloggant ?

Dernière modification par Geronimo12 (Le 05/03/2015, à 21:16)


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#16 Le 06/03/2015, à 21:07

J5012

Re : aide rootkit infection vers

tiramiseb a écrit :

ca n'empeche pas d'en telecharger (surtout à l'insu de ton plein gre)

Tu télécharges des choses à l'insu de ton plein gré, toi ?

oui si tu oublies de lire les petits caracteres dans ffx ou dans les install, en cliquant suivant suivant ...

Hors ligne

#17 Le 06/03/2015, à 21:08

J5012

Re : aide rootkit infection vers

Geronimo12 a écrit :

oui je torr... pas mal ;-)

que signifie en varloggant ?

toi tu n'as pas lu la doc clamav de ubuntu-fr ...

Hors ligne

#18 Le 06/03/2015, à 22:07

Geronimo12

Re : aide rootkit infection vers

merci

oui J5012, je l'ai lu ;-) mais les 3/4 de la page je en comprend pas... donc je ne fais pas par précautions et soucis de faire des conneries ;-)

donc si tu veux me guider pour comprendre je suis partant...


MSI GP60 leopard, Ubuntu 24.04 LTS Budgie10.9.1 noyaux 6.8.0-35 processeur Intel Core i5-4210H CPU @2.90Ghz x 4, mémoire vive 7,7 Go, carte graphique intel corporation 4th Gen Core processor integrated graphics controller, Nvidia GTX950M,  avec ssd msata 120 Go

Hors ligne

#19 Le 07/03/2015, à 21:35

J5012

Re : aide rootkit infection vers

http://doc.ubuntu-fr.org/clamav#utilisation

ne me dis pas que le petit tableau est incomprehensible ...

n'as-tu pas aussi installé une interface graphique ?

et un peu de google ?
https://help.ubuntu.com/community/ClamA … _reporting

Dernière modification par J5012 (Le 07/03/2015, à 21:39)

Hors ligne