Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknow Rootkit Detection- Ur


  • Please log in to reply
2 replies to this topic

#1 ag.dabears

ag.dabears

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dinuba, Ca
  • Local time:09:14 PM

Posted 25 April 2016 - 08:58 PM

Does anyone know what Ambient (ARK) Rootkit is.? RkHunter has detected it on my linux system..

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate (Linux) forum. Due to the inability of any tools available in the Virus, Trojan, Spyware, and Malware Removal Logs forum cannot be used with Linux OS. ~ Animal

BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:14 PM

Posted 25 April 2016 - 11:41 PM

Please provide the details of your system. (OS name and version)

As this could be a false positive would you mind doing a scan with 'chkrootkit'

Also open a terminal window and type:

cd /tmp

ls (that's the letters L and S,lowercase

Post back with the results.


rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 Linux_User

Linux_User

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 26 April 2016 - 10:22 AM

it's HIGHLY likely this is a false positiive .. you can see what ARK 1.0 and 1.0.1 replaced here:

https://packetstormsecurity.com/UNIX/penetration/rootkits/page8/

WARNING .. if you decide to download the archives on that page, DO NOT run any of the included binaries .. in fact there's no need to download the archive (or even visit the page), it lists the binaries that are replaced, so you just need to check these:-

 

syslogd, login, sshd, ls, du, ps, pstree, killall, and netstat

 

haven't been replaced on your system.

 

I guess you can either reinstall those, or check their hashes against known good versions.

 

ARK dates from 2000, so the chances of you actually being backdoored are small .. but worth checking nonetheless.


Edited by Linux_User, 26 April 2016 - 10:31 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users