[ossec-list] Re: ZK Rootkit

[Joe Barr <joe@xxxxxxxxxxxx>]

I'm using a preview version of SUSE SLED 10.  

Here is the alert:

<clip>

** Alert 1154021500.0: mail 
2006 Jul 27 12:31:40 Suse10-1->rootcheck
Rule: 14 (level 8) -> 'Rootkit detection engine message'
Src IP: (none)
User: (none)
Rootkit 'ZK' detected by the presence of file
'/etc/sysconfig/console/load.zk'.

</clip>

The contents of the file (it's not a directory)
at /etc/sysconfig/console are:

<clip>

## Path:        Hardware/Console
## Description: Text console settings (see also Hardware/Keyboard)
## Type:	string
## Default:	""
## ServiceRestart: kbd
#
# Console settings.
# Note: The KBD_TTY setting from Hardware/Keyboard (sysconfig/keyboard)
# also applies for the settings here.
#
# Load this console font on bootup:
# (/usr/share/kbd/consolefonts/)
# 
CONSOLE_FONT="lat9w-16.psfu"

## Type:	string
## Default:	""
#
# Some fonts come without a unicode map.
# (.psfu fonts supposedly have it, others often not.)
# You can then specify the unicode mapping of your font 
# explicitly. (/usr/share/kbd/unimaps/)
# Normally not needed.
#
CONSOLE_UNICODEMAP=""

## Type:	string
## Default:	""
#
# Most programs output 8 bit characters, so you need a table to
# translate those characters into unicode. That one can be specified
# here. (/usr/share/kbd/consoletrans/)
# (Note: If your console is in utf-8 mode you don't need this.)
# If your code does not use a unicode mapping at all (because you
# e.g. explicitly specified UNICODEMAP="none") you may circumvent
# the translation via unicode, but load a map which directly maps
# 8 bit output of your program to a font position.
#
CONSOLE_SCREENMAP="trivial"

## Type:	string
## Default:	""
#
# for some fonts the console has to be initialized with CONSOLE_MAGIC.
# CONSOLE_MAGIC can be empty or have the values "(B", ")B", "(K" or
")K".
# Normally not needed (automatically handled by setfont).
#
CONSOLE_MAGIC="(K"
## Path:	System/Console/Framebuffer
## Description:	Framebuffer configuration
## Type:	string
## Default:	""
#
# You may want to load a framebuffer display driver into your kernel
# in order to be able to change graphics modes etc. with fbset in
# console mode.
#
# Notes: Most people won't enter anything here, as:
#   * it won't work if you have vesafb already active
#   * its advantageous to have fb support compiled into your kernel
#   * Some XFree86 drivers (especially in XFree86-4.x) don't work
#     too well, if you enable framebuffer text mode.
#
# Example:
#  FB_MODULES="matroxfb_base vesa=0x182 fv=85 matroxfb_maven
matroxfb_crtc2"
# 
FB_MODULES=""

## Type:        string
## Default:     ""
#
# In case your kernel has framebuffer support (or you loaded the
framebuffer
# support into your kernel as a module above), you may want to change
the
# resolution or other parameters. This is done by secifying the
parameters
# to fbset. Use a mode from /etc/fb-modes and additional parameters as
# -a, -depth <BPP>, -vyres <VYRES>, ... (See fbset manpage and/or fbset
-h).
#
# Notes:
#   * vesafb does not (currently) support changing the display mode
#   * BEWARE! Don't set modes your monitor can't do. Watch out for the
maximum
#     horizontal frequency. Old monitors might even be damaged if you
exceed 
#     their capabilities.
#
# Example:
#   FBSET_PARAMS="-a -depth 16 768x576-90 -vyres 10240"
# 
FBSET_PARAMS=""

# Encoding used for output of non-ascii characters.
#
CONSOLE_ENCODING="UTF-8"

</clip>

Thanks,
Joe







On Sun, 2006-07-30 at 19:51 -0300, Daniel Cid wrote:
> Which operating system are you using (uname -a)? I never saw any
> system using this
> file load.zk, but it can be a false positive (it happened before with
> other files). Can you also show us the content of it?
> 
> Thanks for the report.
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> On 7/30/06, Joe Barr <joe@xxxxxxxxxxxx> wrote:
> >
> >
> > Has anyone seen false positives on a ZK Rootkit alert referring
> > to /etc/sysconfig/console/load.zk?  I've gotten it twice on a brand new
> > installation, with nothing having been done other than to install
> > OSSEC-HIDS.
> >
> >
> 
>