Leonardo Vilela Pinheiro
2006-Dec-22 10:02 UTC
[CentOS] chkrootkit reporting possible LKM trojan
How can I be sure if it is LKM or not? Today I've run chkrootkit and it gave me: Checking `lkm'... You have 179 process hidden for readdir command You have 179 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3206 tty1 /sbin/mingetty tty1 ! root 3285 tty2 /sbin/mingetty tty2 ! root 3337 tty3 /sbin/mingetty tty3 ! root 3388 tty4 /sbin/mingetty tty4 ! root 3439 tty5 /sbin/mingetty tty5 Those hidden tty can be "su -" sessions that I have just started. The computer has just been restarted, and I have just opened those su sessions. There are also some "hidden files", all of them named .packlist and .exists. Everything else is fine. rkhunter looks fine. " rpm -Va kernel* " looks fine. Remote users access are being controlled through /etc/ssh/sshd_config in a user-host fashion. Thanks in advance. -- Vilela
Leonardo Vilela Pinheiro
2006-Dec-22 10:05 UTC
[CentOS] Re: chkrootkit reporting possible LKM trojan
On 12/22/06, Leonardo Vilela Pinheiro <leopinheiro at gmail.com> wrote:> How can I be sure if it is LKM or not? > > Today I've run chkrootkit and it gave me: > > Checking `lkm'... You have 179 process hidden for readdir command > You have 179 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed > > Checking `chkutmp'... The tty of the following user process(es) were not found > in /var/run/utmp ! > ! RUID PID TTY CMD > ! root 3206 tty1 /sbin/mingetty tty1 > ! root 3285 tty2 /sbin/mingetty tty2 > ! root 3337 tty3 /sbin/mingetty tty3 > ! root 3388 tty4 /sbin/mingetty tty4 > ! root 3439 tty5 /sbin/mingetty tty5 > > Those hidden tty can be "su -" sessions that I have just started. The > computer has just been restarted, and I have just opened those su > sessions. > > There are also some "hidden files", all of them named .packlist and > .exists. Everything else is fine. > > rkhunter looks fine. > > " rpm -Va kernel* " looks fine. > > Remote users access are being controlled through /etc/ssh/sshd_config > in a user-host fashion. > > Thanks in advance. > > -- > Vilela >It is a Centos 4.4 box. -- Vilela