Assignment 6
Encryption
The first part of my exploration was to try to verify a file I
downoaded from Apache.org.
I downloaded GnuPG to do
this.
Here is what I did.
First I downloaded the file and Detached File Signature: 'httpd-2.0.52.tar.bz2' and 'httpd-2.0.52.tar.bz2.asc' from apache .org.
Then I checked the detached signature against the file 'httpd-2.0.52.tar.bz2'
Badi-Jones-Computer:~ jones$ gpg httpd-2.0.52.tar.bz2.asc
gpg: Signature made Mon Sep 27 18:34:52 2004 EDT using RSA key ID 10FDE075
gpg: Can't check signature: public key not found
I need to get the public key from a public key server. I used mit.edu as suggested by apache.org.
Badi-Jones-Computer:~ jones$ gpg --keyserver pgpkeys.mit.edu --recv-key 10FDE075
gpg: key 10FDE075: public key "wrowe@covalent.net" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
Now that I have this key, I can try to verify the release signature again.
Badi-Jones-Computer:~ jones$ gpg httpd-2.0.52.tar.bz2.asc
gpg: Signature made Mon Sep 27 18:34:52 2004 EDT using RSA key ID 10FDE075
gpg: Good signature from "wrowe@covalent.net"
gpg: aka "William A. Rowe, Jr. "
gpg: aka "wrowe@lnd.com"
gpg: aka "wrowe@apache.org"
gpg: aka "wrowe@lnd.com"
gpg: aka "wrowe@apache.org"
gpg: aka "wrowe@covalent.net"
gpg: aka "William A. Rowe, Jr. "
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: next trustdb check due at 2005-04-09
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 33 16 9B 46 FC 12 D4 01 CA 6D DB D7 DE EA 4F D7
The signature is not trusted, so I need to find out if it is authentic.
Badi-Jones-Computer:~ jones$ gpg --fingerprint 10FDE075
pub 2048R/10FDE075 2000-10-09 wrowe@covalent.net
Key fingerprint = 33 16 9B 46 FC 12 D4 01 CA 6D DB D7 DE EA 4F D7
uid William A. Rowe, Jr.
uid wrowe@lnd.com
uid wrowe@apache.org
uid wrowe@lnd.com
uid wrowe@apache.org
uid wrowe@covalent.net
uid William A. Rowe, Jr.
Fingerprints are the same, but the key is not trusted. possibly because it is new.
Created a pub private key
Here I created my own set of Keys using GnuPG. This is my public key.
Here I encrypted the file it.txt.
Badi-Jones-Computer:~ jones$ gpg --encrypt --recipient 'badi' it.txt
the resulting encrypted file is it.txt.gpg
Finally I decrypted teh file.
Badi-Jones-Computer:~ jones$ gpg --output it-undone.txt it.txt.gpg
You need a passphrase to unlock the secret key for
user: "bjones (lock) "
1024-bit ELG-E key, ID B32D10F7, created 2004-12-10 (main key ID DB698012)
gpg: encrypted with 1024-bit ELG-E key, ID B32D10F7, created 2004-12-10
"bjones (lock) "
The resulting file is it-undone.txt.
Install Snort on a host, and explore the various options, rulesets, etc. See what, if anything, it catches.
I installed Snort and ran the following command while from my computer at home, I ran 'nmap bill.msie.marlboro.edu'
You can see
[root@bill chkrootkit-0.44]# /usr/sbin/snort -v
Running in packet dump mode
Log directory = /var/log/snort
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.0RC1 (Build 8)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc, et al.
12/10-12:53:03.610135
24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:64725 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1A83EA62 Ack: 0x54E79C52 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284989615 1685713507
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.624221
24.218.92.235:65356 -> 216.114.150.54:788
TCP TTL:50 TOS:0x0 ID:64726 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8170B4FC Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.624254
216.114.150.54 -> 24.218.92.235
ICMP TTL:255 TOS:0xC0 ID:53554 IpLen:20 DgmLen:88
Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED
HOST FILTERED
** ORIGINAL DATAGRAM DUMP:
24.218.92.235:65356 -> 216.114.150.54:788
TCP TTL:50 TOS:0x0 ID:64726 IpLen:20 DgmLen:60 DF
******S* Seq: 0x8170B4FC Ack: 0x0 Win: 0xFFFF TcpLen: 40
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.624737
216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42767 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x54E79EE2 Ack: 0x1A83EA62 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1685713632 1284989615
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.630265
24.218.92.235:65357 -> 216.114.150.54:421
TCP TTL:50 TOS:0x0 ID:64727 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF6F8B0AE Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.637664
24.218.92.235:65358 -> 216.114.150.54:240
TCP TTL:50 TOS:0x0 ID:64728 IpLen:20 DgmLen:60 DF
******S* Seq: 0x10DA713F Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.637959
216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42769 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x54E7A48A Ack: 0x1A83EA62 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1685713645 1284989615
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.645642
24.218.92.235:65359 -> 216.114.150.54:424
TCP TTL:50 TOS:0x0 ID:64729 IpLen:20 DgmLen:60 DF
******S* Seq: 0x35B4A814 Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.656166
24.218.92.235:65360 -> 216.114.150.54:287
TCP TTL:50 TOS:0x0 ID:64730 IpLen:20 DgmLen:60 DF
******S* Seq: 0xB6FD3E3 Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.660158
24.218.92.235:65361 -> 216.114.150.54:291
TCP TTL:50 TOS:0x0 ID:64731 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF3CA97CB Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.660455
216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42771 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x54E7AA32 Ack: 0x1A83EA62 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1685713668 1284989615
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.666957
24.218.92.235:65362 -> 216.114.150.54:709
TCP TTL:50 TOS:0x0 ID:64732 IpLen:20 DgmLen:60 DF
******S* Seq: 0xA1768A5B Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.667315
24.218.92.235:65363 -> 216.114.150.54:500
TCP TTL:50 TOS:0x0 ID:64733 IpLen:20 DgmLen:60 DF
******S* Seq: 0x85DD1B0E Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.667719
24.218.92.235:65364 -> 216.114.150.54:508
TCP TTL:50 TOS:0x0 ID:64734 IpLen:20 DgmLen:60 DF
******S* Seq: 0x127FDF54 Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1284989615 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.668011
216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42773 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x54E7AFDA Ack: 0x1A83EA62 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1685713675 1284989615
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.708705
24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:64735 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1A83EA62 Ack: 0x54E79EE2 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284989616 1685713535
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.708742
216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42775 IpLen:20 DgmLen:516 DF
***AP*** Seq: 0x54E7B582 Ack: 0x1A83EA62 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1685713716 1284989616
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.724940
24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:64736 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1A83EA62 Ack: 0x54E7AA32 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284989616 1685713632
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.759036
24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:64737 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1A83EA62 Ack: 0x54E7B582 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284989616 1685713668
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.848777
24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:64738 IpLen:20 DgmLen:100 DF
***AP*** Seq: 0x1A83EA62 Ack: 0x54E7B752 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284989616 1685713716
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-12:53:03.848861
216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42777 IpLen:20 DgmLen:1428 DF
***AP*** Seq: 0x54E7B752 Ack: 0x1A83EA92 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1685713856 1284989616
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
===============================================================================
Snort received 135 packets
Analyzed: 135(100.000%)
Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
TCP: 128 (94.815%)
UDP: 2 (1.481%)
ICMP: 2 (1.481%)
ARP: 2 (1.481%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 1 (0.741%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting
[root@bill chkrootkit-0.44]#
The following output is a resule of a ping on the server.
[root@bill root]# /usr/sbin/snort -v
Running in packet dump mode
Log directory = /var/log/snort
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.0RC1 (Build 8)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc, et al.
12/10-10:55:20.815786
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52360 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6511883 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983833 1678649578
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:20.816079
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50155 IpLen:20 DgmLen:836 DF
***AP*** Seq: 0xD6511883 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678649843 1284983833
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.017542
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52361 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6511B93 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983834 1678649843
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.017624
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50157 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD6511B93 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678650045 1284983834
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.215882
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52362 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6511E33 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983834 1678650045
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.215920
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50159 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD6511E33 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678650243 1284983834
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.417619
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52363 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD65120D3 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983835 1678650243
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.417653
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50161 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD65120D3 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678650445 1284983835
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.617590
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52364 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6512373 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983835 1678650445
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.617629
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50163 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD6512373 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678650645 1284983835
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.818649
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52365 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6512613 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983835 1678650645
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:21.818732
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50165 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD6512613 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678650846 1284983835
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:22.023157
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52366 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD65128B3 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983836 1678650846
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:22.023195
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50167 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD65128B3 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678651050 1284983836
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:22.221020
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52367 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6512B53 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983836 1678651050
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:22.221102
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50169 IpLen:20 DgmLen:724 DF
***AP*** Seq: 0xD6512B53 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678651248 1284983836
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:22.284940
ARP who-has 216.114.150.72 tell 216.114.150.1
12/10-10:55:22.419066
24.218.92.235:63572 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:52368 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x2280DFDE Ack: 0xD6512DF3 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284983837 1678651248
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-10:55:22.419113
216.114.150.54:22 -> 24.218.92.235:63572
TCP TTL:64 TOS:0x10 ID:50171 IpLen:20 DgmLen:836 DF
***AP*** Seq: 0xD6512DF3 Ack: 0x2280DFDE Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1678651446 1284983837
===============================================================================
Snort received 100 packets
Analyzed: 100(100.000%)
Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
TCP: 80 (80.000%)
UDP: 0 (0.000%)
ICMP: 12 (12.000%)
ARP: 7 (7.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 1 (1.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting
Here I created a log file and viewed it.
[root@bill chkrootkit-0.44]# /usr/sbin/snort -l /home/bjones -b
Running in packet logging mode
Log directory = /home/bjones
Initializing Network Interface eth0
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth0
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.0RC1 (Build 8)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc, et al.
===============================================================================
Snort received 219 packets
Analyzed: 219(100.000%)
Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
TCP: 4 (1.826%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
ARP: 203 (92.694%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 12 (5.479%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 219
PASSED: 0
===============================================================================
Snort exiting
======
[root@bill bjones]# /usr/sbin/snort -dvr snort.log.1102705787
No run mode specified, defaulting to verbose mode
Running in packet dump mode
Log directory = /var/log/snort
TCPDUMP file reading mode.
Reading network traffic from "snort.log.1102705787" file.
snaplen = 1514
--== Initializing Snort ==--
Initializing Output Plugins!
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.3.0RC1 (Build 8)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2004 Sourcefire Inc, et al.
12/10-14:09:47.786606 ARP who-has 216.114.150.4 tell 216.114.150.1
12/10-14:09:47.846107 ARP who-has 216.114.150.66 tell 216.114.150.1
12/10-14:09:47.885546 ARP who-has 216.114.150.48 tell 216.114.150.1
12/10-14:09:48.007821 24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:22597 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1A83F242 Ack: 0x54E7CAF2 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284998823 1690318317
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-14:09:48.007897 216.114.150.54:22 -> 24.218.92.235:63835
TCP TTL:64 TOS:0x10 ID:42865 IpLen:20 DgmLen:836 DF
***AP*** Seq: 0x54E7CAF2 Ack: 0x1A83F242 Win: 0x8D8 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1690318646 1284998823
95 BE AE D2 15 F3 D1 4E BB 95 AE 83 AE 33 EC 35 .......N.....3.5
8D 4B 05 0D 29 0A 32 B4 8F 10 BD D4 F3 C9 D9 07 .K..).2.........
01 78 53 67 71 E4 8B F6 51 20 3A 85 74 7C 50 8B .xSgq...Q :.t|P.
07 CD 4A B5 F3 B1 CB 21 9D E0 D2 AC 31 20 0E E2 ..J....!....1 ..
31 78 17 4D 09 0A 22 27 CA FE E8 32 8F 08 84 92 1x.M.."'...2....
99 00 68 2B 5E 0C 72 BF 8F 2B D2 56 52 60 E3 97 ..h+^.r..+.VR`..
9C 13 F6 7C 8C 27 1B 0D 27 81 40 A8 D3 01 86 45 ...|.'..'.@....E
31 96 C1 C9 3A EA FE 96 89 F4 3A 4C 5D 09 8E 18 1...:.....:L]...
64 D8 8A EE 52 46 25 FD 50 27 61 75 B1 A6 76 A2 d...RF%.P'au..v.
1C 6D A1 AB 39 8C 0F ED 25 D2 57 A3 D8 FC BE FE .m..9...%.W.....
30 DC D3 9A 79 5A BC 2A 5F 4B A0 E1 1A AF D6 D4 0...yZ.*_K......
88 3E 8F 4F 25 ED D1 35 7F 7D B4 47 35 88 C4 FA .>.O%..5.}.G5...
89 B6 B7 AB 10 14 2A F6 8A F2 3B 79 81 63 24 B2 ......*...;y.c$.
8A C4 36 DE AD 84 76 EA BA D3 B6 A1 79 62 A1 FB ..6...v.....yb..
13 50 82 BE 4F E4 C3 74 7A 5F 77 33 54 47 89 B3 .P..O..tz_w3TG..
7D D8 02 FF 8B 19 B1 34 B9 46 9D 21 CF 46 2F 70 }......4.F.!.F/p
D2 5F 1D 9A 32 2E 7E C3 EB 02 46 1E 86 E9 7C AB ._..2.~...F...|.
60 8A A4 D1 18 07 19 EA 7F 87 A0 95 40 D7 72 0D `...........@.r.
27 97 21 B8 11 5A DB 19 0E 32 5D 99 01 45 4D 91 '.!..Z...2]..EM.
DB 57 75 46 6A F1 D2 89 3F 5E 44 F4 00 63 A4 04 .WuFj...?^D..c..
A0 4E FC 62 76 6F D6 47 37 3D 3B 97 9E 10 3B A1 .N.bvo.G7=;...;.
64 EF 32 5A 4D 95 06 BA F3 14 2F 60 BD C6 AD BF d.2ZM...../`....
CA 0D A5 64 1F FF 3E 4E 62 36 0A DE A6 77 F8 17 ...d..>Nb6...w..
39 CC 1F 08 70 AA 9B E1 87 31 EB 60 D3 7D 1A 9B 9...p....1.`.}..
E3 B6 5E 89 68 65 27 93 70 00 65 88 44 43 E3 DD ..^.he'.p.e.DC..
7F 91 2C A0 E1 8C D8 EF 68 63 D9 EB 26 52 7F 25 ..,.....hc..&R.%
22 42 3D 33 B7 E0 A0 CF 77 82 0C A5 1E C2 06 6A "B=3....w......j
4E 89 DF 27 53 9B 98 84 98 15 A6 85 ED 3B 19 7A N..'S........;.z
4B 82 2F 14 8E 9F F1 49 C2 57 5F 7F 41 84 EA 78 K./....I.W_.A..x
8C 19 C4 6E 4A 89 D1 B6 4A 0C 3B D2 43 E1 6D BC ...nJ...J.;.C.m.
A9 59 5C AA C9 38 36 C8 E0 B8 C7 33 8F 19 5D 26 .Y\..86....3..]&
2E AD F4 75 4E 69 93 68 54 45 67 1A 15 19 6D F8 ...uNi.hTEg...m.
28 D1 8F 05 CB BF 36 B6 FA AF B6 49 FC D0 01 7D (.....6....I...}
0B 20 D6 EE F7 90 6F 1C A7 B1 38 DE 80 2C 1D 9A . ....o...8..,..
CB 2A 52 F9 0E B6 CF C4 04 21 66 8D F3 5B 33 B2 .*R......!f..[3.
C1 82 B6 F7 16 AB 81 32 8B EF 41 3B 5A D2 75 2E .......2..A;Z.u.
6F 70 48 3B B2 BC 8A 29 4C B7 39 8B 00 90 94 5F opH;...)L.9...._
BE 60 98 82 F2 D0 6E E7 39 AA 12 C6 89 D1 DF 9C .`....n.9.......
20 42 26 EB E6 0B C2 94 E9 3E 2F 50 67 35 0D BB B&......>/Pg5..
AA EC FD DD 81 6A D9 66 12 8D B5 EE C2 2D D0 32 .....j.f.....-.2
45 BA 8B CA 30 87 BF 32 87 01 5E 77 44 70 77 65 E...0..2..^wDpwe
80 5B 88 16 4D 3A BF C7 53 4D 12 D8 C6 82 98 91 .[..M:..SM......
33 3F 6B E4 88 44 00 7F A7 28 06 F4 DF 82 B0 99 3?k..D...(......
07 1D 17 D4 20 B6 44 7C 9F 3C 84 F4 AF BD 35 54 .... .D|.<....5T
C6 A9 79 99 FE 40 D9 E1 91 8E EF 47 55 8F 40 12 ..y..@.....GU.@.
58 2D E7 09 30 24 B0 AA B1 F6 C4 49 9A B8 95 B5 X-..0$.....I....
A3 E7 52 2D 50 0B 15 82 7D 8F BB AE CA D7 7B D1 ..R-P...}.....{.
37 DD 60 55 7A 67 1E 1A 08 DB 5C EF 2F 0E BA 71 7.`Uzg....\./..q
CE 06 67 32 27 2C 63 CD AF 39 51 3B AD AC F7 34 ..g2',c..9Q;...4
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-14:09:48.329348 24.218.92.235:63835 -> 216.114.150.54:22
TCP TTL:50 TOS:0x0 ID:22598 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1A83F242 Ack: 0x54E7CE02 Win: 0xFFFF TcpLen: 32
TCP Options (3) => NOP NOP TS: 1284998824 1690318646
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-14:09:48.615504 ARP who-has 216.114.150.72 tell 216.114.150.1
12/10-14:09:48.755587 ARP who-has 216.114.150.4 tell 216.114.150.1
12/10-14:09:48.757146 ARP who-has 216.114.150.91 tell 216.114.150.1
12/10-14:09:48.845809 ARP who-has 216.114.150.66 tell 216.114.150.1
12/10-14:09:48.885949 ARP who-has 216.114.150.48 tell 216.114.150.1
12/10-14:09:49.615522 ARP who-has 216.114.150.72 tell 216.114.150.1
12/10-14:09:49.755624 ARP who-has 216.114.150.91 tell 216.114.150.1
12/10-14:09:50.119542 ARP who-has 216.114.150.65 tell 216.114.150.1
12/10-14:09:50.755525 ARP who-has 216.114.150.91 tell 216.114.150.1
12/10-14:09:51.079353 ARP who-has 216.114.150.39 tell 216.114.150.1
12/10-14:09:51.115490 ARP who-has 216.114.150.65 tell 216.114.150.1
12/10-14:09:51.557613 ARP who-has 216.114.150.76 tell 216.114.150.1
12/10-14:09:51.630917 ARP who-has 216.114.150.4 tell 216.114.150.1
12/10-14:09:51.758596 ARP who-has 216.114.150.75 tell 216.114.150.1
12/10-14:09:51.846411 ARP who-has 216.114.150.14 tell 216.114.150.1
12/10-14:09:52.075625 ARP who-has 216.114.150.39 tell 216.114.150.1
12/10-14:09:52.115505 ARP who-has 216.114.150.65 tell 216.114.150.1
12/10-14:09:52.556177 ARP who-has 216.114.150.76 tell 216.114.150.1
12/10-14:09:52.626311 ARP who-has 216.114.150.4 tell 216.114.150.1
12/10-14:09:52.756210 ARP who-has 216.114.150.75 tell 216.114.150.1
12/10-14:09:52.859388 ARP who-has 216.114.150.14 tell 216.114.150.1
12/10-14:09:52.904371 ARP who-has 216.114.150.72 tell 216.114.150.1
12/10-14:09:53.076040 ARP who-has 216.114.150.39 tell 216.114.150.1
12/10-14:09:53.556296 ARP who-has 216.114.150.76 tell 216.114.150.1
12/10-14:09:53.625616 ARP who-has 216.114.150.4 tell 216.114.150.1
12/10-14:09:53.755632 ARP who-has 216.114.150.75 tell 216.114.150.1
12/10-14:09:53.846807 ARP who-has 216.114.150.14 tell 216.114.150.1
12/10-14:09:53.895600 ARP who-has 216.114.150.72 tell 216.114.150.1
12/10-14:09:54.776215 12.6.231.1 -> 224.0.0.1
IGMP TTL:1 TOS:0xC0 ID:171 IpLen:20 DgmLen:28
11 64 EE 9B 00 00 00 00 .d......
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/10-14:09:54.854848 ARP who-has 216.114.150.39 tell 216.114.150.1
12/10-14:09:54.895579 ARP who-has 216.114.150.72 tell 216.114.150.1
Install and/or run some of the host Intrusion Detection Tools - Tripwire, Osiris, chkrootkit, Rootkit Hunter.
[root@bill home]# cd chkrootkit-0.44
[root@bill chkrootkit-0.44]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.3/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi/auto/Gaim/.packlist /lib/modules/2.6.5-1.358/build/scripts/.modpost.o.cmd /lib/modules/2.6.5-1.358/build/scripts/.pnmtologo.cmd /lib/modules/2.6.5-1.358/build/scripts/.mk_elfconfig.cmd /lib/modules/2.6.5-1.358/build/scripts/.file2alias.o.cmd /lib/modules/2.6.5-1.358/build/scripts/.conmakehash.cmd /lib/modules/2.6.5-1.358/build/scripts/.sumversion.o.cmd /lib/modules/2.6.5-1.358/build/scripts/.kallsyms.cmd /lib/modules/2.6.5-1.358/build/scripts/basic/.split-include.cmd /lib/modules/2.6.5-1.358/build/scripts/basic/.fixdep.cmd /lib/modules/2.6.5-1.358/build/scripts/basic/.docproc.cmd /lib/modules/2.6.5-1.358/build/scripts/.elfconfig.h.cmd /lib/modules/2.6.5-1.358/build/scripts/.empty.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.mconf.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.conf.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.zconf.tab.o.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.libkconfig.so.cmd /lib/modules/2.6.5-1.358/build/scripts/kconfig/.conf.cmd /lib/modules/2.6.5-1.358/build/scripts/.modpost.cmd /lib/modules/2.6.5-1.358/build/scripts/.bin2c.cmd /lib/modules/2.6.5-1.358/build/.config /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.modpost.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.mk_elfconfig.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.file2alias.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.sumversion.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.elfconfig.h.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.empty.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/mod/.modpost.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/.pnmtologo.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/genksyms/.genksyms.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/genksyms/.parse.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/genksyms/.genksyms.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/genksyms/.lex.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/.conmakehash.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/.kallsyms.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/basic/.split-include.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/basic/.fixdep.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/basic/.docproc.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/kconfig/.mconf.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/kconfig/.conf.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/kconfig/.zconf.tab.o.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/kconfig/.libkconfig.so.cmd /lib/modules/2.6.9-1.6_FC2/build/scripts/kconfig/.conf.cmd /lib/modules/2.6.9-1.6_FC2/build/.config /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.modpost.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.mk_elfconfig.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.file2alias.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.sumversion.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.elfconfig.h.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.empty.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/mod/.modpost.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/.pnmtologo.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/genksyms/.genksyms.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/genksyms/.parse.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/genksyms/.genksyms.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/genksyms/.lex.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/.conmakehash.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/.kallsyms.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/basic/.split-include.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/basic/.fixdep.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/basic/.docproc.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/kconfig/.mconf.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/kconfig/.conf.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/kconfig/.zconf.tab.o.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/kconfig/.libkconfig.so.cmd /lib/modules/2.6.9-1.3_FC2/build/scripts/kconfig/.conf.cmd /lib/modules/2.6.9-1.3_FC2/build/.config /lib/modules/2.6.8-1.521/build/scripts/mod/.modpost.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.mk_elfconfig.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.file2alias.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.sumversion.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.elfconfig.h.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.empty.o.cmd /lib/modules/2.6.8-1.521/build/scripts/mod/.modpost.cmd /lib/modules/2.6.8-1.521/build/scripts/.pnmtologo.cmd /lib/modules/2.6.8-1.521/build/scripts/.conmakehash.cmd /lib/modules/2.6.8-1.521/build/scripts/.kallsyms.cmd /lib/modules/2.6.8-1.521/build/scripts/basic/.split-include.cmd /lib/modules/2.6.8-1.521/build/scripts/basic/.fixdep.cmd /lib/modules/2.6.8-1.521/build/scripts/basic/.docproc.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.mconf.o.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.conf.o.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.zconf.tab.o.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.libkconfig.so.cmd /lib/modules/2.6.8-1.521/build/scripts/kconfig/.conf.cmd /lib/modules/2.6.8-1.521/build/scripts/.bin2c.cmd /lib/modules/2.6.8-1.521/build/.config
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
|