# Possible Rootkit detected.

## marstonis

OK, so after doing my weekly rootkit checks, I cme across this. I have not seen this one before, though I have installed quite a few things lately.

In short, is it anything to be getting worried about?

 *Quote:*   

> lorelai samantha # chkrootkit
> 
> ROOTDIR is `/'
> 
> Checking `amd'... not found
> ...

 

Many thanks, in anticipation.

----------

## bunder

from what i read on google, that can happen if cron or some other process started during the scan, but i've also seen false-positives from screen.  just something to think about...   :Wink: 

cheers

----------

## marstonis

Hehe, not nice though. I ran it three times after you posted that (after killing a few non-essential processes) then three times after putting them back up. I did not get a single report back from the same first attempt. Funny one that.

Thanks for your help, appreciated.

----------

## marstonis

Just to lead on from this, and I know this might seem odd, though go with it for now. Would anybody be so kind as to please knock a quick script that will MD5 -everything- then pipe the output to a text file? Not entirely sure my method is the best way about this, so lets see.

Many thanks once again.

----------

## Hu

MD5 is a broken algorithm.  I have substituted SHa1 instead.  If you really want to use MD5, run md5sum instead of sha1sum in this fragment.

I am not sure what you hope to achieve by collecting all those checksums, but try this: find / -type f -print0 | xargs --null sha1sum >/dev/tcp/some-trusted-IP/port-on-trusted-IP.  This requires bash for the network redirect.  Since you want to check every file, the easiest way not to check the checksum file is to route it off to some other host.  You could also mount a tmpfs and use find / -type f ! -fstype tmpfs -print0 to avoid descending into the tmpfs.

----------

