chkrootkit 4 process hidden - Am I really infected?
I just ran chkrootkit to check the server integrity and I saw the following:
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 4 process hidden for readdir command
So I immediately ran ./chkrootkit -x lkm and below are the results
ROOTDIR is `/'
### Output of: ./chkproc -v -v -p 1
PID 4917(/proc/4917): not in readdir output
PID 4917: not in ps output
CWD 4917: /
EXE 4917: /usr/sbin/clamd
PID 6233(/proc/6233): not in readdir output
PID 6233: not in ps output
CWD 6233: /
EXE 6233: /usr/sbin/named
PID 6234(/proc/6234): not in readdir output
PID 6234: not in ps output
CWD 6234: /
EXE 6234: /usr/sbin/named
PID 6235(/proc/6235): not in readdir output
PID 6235: not in ps output
CWD 6235: /
EXE 6235: /usr/sbin/named
You have 4 process hidden for readdir command
You have 4 process hidden for ps command
I am an not yet completely versed in Linux Admin yet, so I was hoping that someone could shed some light on this for me and let me know whether or not I am really infected here. and IF SO, how to get rid of them.
Depending on the os you are using, you may be using a NPTL enabled operating system, which this is a common thing to see, because chkrootkit does not take posix threads into account.
Steven Ciaburri | Industry's Best Server Management- Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance