Author Topic: Chkrootkit suspicious files? [SOLVED]  (Read 225 times)

0 Members and 1 Guest are viewing this topic.

Offline wtebv

  • Jr. Member
  • **
  • Posts: 8
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Chkrootkit suspicious files? [SOLVED]
« on: November 12, 2021, 10:04:41 pm »
I use chkrootkit to keep my system clean. I am a new (and happy) Linux user. I use Linux Mint 20.2.
Chkrootkit scan is clean, except few suspicious files as it calls them, which are the following ones :

/usr/lib/python3/dist-packages/tldextract/.tld_set_snapshot
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
/usr/lib/modules/5.4.0-90-generic/vdso/.build-id
/usr/lib/modules/5.4.0-89-generic/vdso/.build-id
/usr/lib/modules/5.4.0-74-generic/vdso/.build-id
/usr/lib/debug/.dwz /usr/lib/debug/.build-id
/usr/lib/modules/5.4.0-90-generic/vdso/.build-id
/usr/lib/modules/5.4.0-89-generic/vdso/.build-id
/usr/lib/modules/5.4.0-74-generic/vdso/.build-id
/usr/lib/debug/.dwz /usr/lib/debug/.build-id

Are they dangerous? I checked few of them, but cannot really say (am too new to this) if/how they are dangerous.
Thanks very much for your help.
« Last Edit: November 17, 2021, 11:07:38 am by wtebv »

Offline Keith

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1526
  • Karma: 20
  • Gender: Male
  • Linux Novice
    • View Profile
    • Awards
Re: Chkrootkit suspicious files?
« Reply #1 on: November 13, 2021, 12:15:33 pm »
Hi Wtebv - and welcome to the Forum.

They are fine.  I found this explanation:
"vDSO (virtual dynamically linked shared object) is a Linux kernel mechanism for exporting a carefully selected set of kernel space routines to user space applications so that applications can call these kernel space routines in-process, without incurring the performance penalty of a context switch that is inherent when calling these same kernel space routines by means of the system call interface."
There is more information here: https://askubuntu.com/questions/856398/what-exactly-is-lib-modules-4-4-0-xx-generic-vdso-build-id#856411

The other files are probably also OK.  But note that chrootkit does seem to produce a lot of false positives. 
I am not familiar with the software but I would only worry about any definite problem files it complains about.

Keith



Hope that helps.
   Keith

The Linux Community Forum

Re: Chkrootkit suspicious files?
« Reply #1 on: November 13, 2021, 12:15:33 pm »

Offline wtebv

  • Jr. Member
  • **
  • Posts: 8
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: Chkrootkit suspicious files?
« Reply #2 on: November 13, 2021, 07:45:51 pm »
Thanks Keith, it does help a lot. I still feel funny about the first file (at least on a curiosity level), which is a list of stuff like this (small excerpt, the list is gigantic)...
"attorney",
  "okazaki.aichi.jp",
  "crown",
  "valledaosta.it",
  "tsuiki.fukuoka.jp",
  "fox",
  "tcm.museum",
... and so so many other lines with some similar apparent nonsense - or at least looks like nonsense to me.
Does anybody have an idea what kind of stuff is this to be in a /lib file??
Thanks again for your patience with a post-Windows newbie.


Offline Keith

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1526
  • Karma: 20
  • Gender: Male
  • Linux Novice
    • View Profile
    • Awards
Re: Chkrootkit suspicious files?
« Reply #3 on: November 14, 2021, 02:36:11 pm »
/usr/lib/python3/dist-packages/tldextract/.tld_set_snapshot

I found this at https://linux.jangnan.org/dsc/main/tldextract/python3-tldextract/python3-tldextract.html:
Python library for separating TLDs
tldextract accurately separates the gTLD or ccTLD (generic or country codetop-level domain) from the registered domain and subdomains of a URL. Bydefault, this package supports the public ICANN TLDs and their exceptions,with optional support for the Public Suffix List's private domains as well..This package installs the library for Python 3.


Which I take to mean that it's for sorting out complicated web addresses. the .tld_set_snapshot appears to include the Japan country code "jp" which supports this idea.

Keith





Offline wtebv

  • Jr. Member
  • **
  • Posts: 8
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: Chkrootkit suspicious files?
« Reply #4 on: November 15, 2021, 09:28:12 am »
Keith, thanks so much. All clear. You also pointed me out to some more resources I can browse for other issues. Much appreciated.
I have just enrolled in a Linux Foundation's online course, so possibly my ignorance will be dissipated a bit more sometime soon(ish).
Thanks again.

The Linux Community Forum

Re: Chkrootkit suspicious files?
« Reply #4 on: November 15, 2021, 09:28:12 am »

Offline Keith

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1526
  • Karma: 20
  • Gender: Male
  • Linux Novice
    • View Profile
    • Awards
Re: Chkrootkit suspicious files?
« Reply #5 on: November 15, 2021, 10:51:54 am »
Wtebv,

You are most welcome. 
I am pleased that you have enrolled on the on-line course and I hope you will give us some feedback about it in the General Discussion board when you are part-way through. 

Oh, and would you please edit the title of your first post on this topic by adding [SOLVED] to help others looking for the same explanation. 
Thank you.
  Keith

Offline Rich J

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 588
  • Karma: 9
  • Gender: Male
  • Still a Linux Luvvie!
    • View Profile
    • Awards
Re: Chkrootkit suspicious files? [SOLVED]
« Reply #6 on: November 18, 2021, 08:20:46 am »

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal