Updates:

Similar topics mod installed, currently shown at the end of a topic

Chkrootkit suspicious files? [SOLVED]

Started by wtebv, November 12, 2021, 10:04:41 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

wtebv

I use chkrootkit to keep my system clean. I am a new (and happy) Linux user. I use Linux Mint 20.2.
Chkrootkit scan is clean, except few suspicious files as it calls them, which are the following ones :

/usr/lib/python3/dist-packages/tldextract/.tld_set_snapshot
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
/usr/lib/modules/5.4.0-90-generic/vdso/.build-id
/usr/lib/modules/5.4.0-89-generic/vdso/.build-id
/usr/lib/modules/5.4.0-74-generic/vdso/.build-id
/usr/lib/debug/.dwz /usr/lib/debug/.build-id
/usr/lib/modules/5.4.0-90-generic/vdso/.build-id
/usr/lib/modules/5.4.0-89-generic/vdso/.build-id
/usr/lib/modules/5.4.0-74-generic/vdso/.build-id
/usr/lib/debug/.dwz /usr/lib/debug/.build-id

Are they dangerous? I checked few of them, but cannot really say (am too new to this) if/how they are dangerous.
Thanks very much for your help.

Keith

Hi Wtebv - and welcome to the Forum.

They are fine.  I found this explanation:
"vDSO (virtual dynamically linked shared object) is a Linux kernel mechanism for exporting a carefully selected set of kernel space routines to user space applications so that applications can call these kernel space routines in-process, without incurring the performance penalty of a context switch that is inherent when calling these same kernel space routines by means of the system call interface."
There is more information here: https://askubuntu.com/questions/856398/what-exactly-is-lib-modules-4-4-0-xx-generic-vdso-build-id#856411

The other files are probably also OK.  But note that chrootkit does seem to produce a lot of false positives. 
I am not familiar with the software but I would only worry about any definite problem files it complains about.

Keith



Hope that helps.
   Keith


wtebv

Thanks Keith, it does help a lot. I still feel funny about the first file (at least on a curiosity level), which is a list of stuff like this (small excerpt, the list is gigantic)...
"attorney",
  "okazaki.aichi.jp",
  "crown",
  "valledaosta.it",
  "tsuiki.fukuoka.jp",
  "fox",
  "tcm.museum",
... and so so many other lines with some similar apparent nonsense - or at least looks like nonsense to me.
Does anybody have an idea what kind of stuff is this to be in a /lib file??
Thanks again for your patience with a post-Windows newbie.


Keith

/usr/lib/python3/dist-packages/tldextract/.tld_set_snapshot

I found this at https://linux.jangnan.org/dsc/main/tldextract/python3-tldextract/python3-tldextract.html:
Python library for separating TLDs
tldextract accurately separates the gTLD or ccTLD (generic or country codetop-level domain) from the registered domain and subdomains of a URL. Bydefault, this package supports the public ICANN TLDs and their exceptions,with optional support for the Public Suffix List's private domains as well..This package installs the library for Python 3.


Which I take to mean that it's for sorting out complicated web addresses. the .tld_set_snapshot appears to include the Japan country code "jp" which supports this idea.

Keith





wtebv

Keith, thanks so much. All clear. You also pointed me out to some more resources I can browse for other issues. Much appreciated.
I have just enrolled in a Linux Foundation's online course, so possibly my ignorance will be dissipated a bit more sometime soon(ish).
Thanks again.


Keith

Wtebv,

You are most welcome. 
I am pleased that you have enrolled on the on-line course and I hope you will give us some feedback about it in the General Discussion board when you are part-way through. 

Oh, and would you please edit the title of your first post on this topic by adding [SOLVED] to help others looking for the same explanation. 
Thank you.
  Keith

Rich J