The most recent stable version of rkhunter failed to detect Jynx on my machine. The rootkit was not installed in one of the typical locations "/xochikit" or "/omgxochi", but resided in "/var/local/^^", instead. Reading "/var/local" with "ls" was prevented by the rootkit (resulted in an error). Also, "/etc/ld.so.preload" was made invisible by the rootkit. I was able to detect the rootkit, by running "ldd" against any executable, which listed the library "ld_poison.so" as a prerequisite. "lsof | grep ld_poison" showed that the library was loaded by many processes. Furthermore, launching 32-bit executables showed an error that "ld_poison.so" could not be loaded, because the OS was 64-bit and the library obviously, too. 32-bit executables ran fine, regardless. I suggest that the detection mechanism of rkhunter be extended by the methods which allowed me to detect the presence of the rootkit. I am sorry, I cannot provide logs, because the OS has been wiped. If you have any questions, I will do my best to answer them, though.
Log in to post a comment.