Results 1 to 2 of 2
  1. #1

    Exclamation chkrootkit 4 process hidden - Am I really infected?

    Hello,

    I just ran chkrootkit to check the server integrity and I saw the following:

    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 4 process hidden for readdir command

    So I immediately ran ./chkrootkit -x lkm and below are the results

    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###
    PID 4917(/proc/4917): not in readdir output
    PID 4917: not in ps output
    CWD 4917: /
    EXE 4917: /usr/sbin/clamd
    PID 6233(/proc/6233): not in readdir output
    PID 6233: not in ps output
    CWD 6233: /
    EXE 6233: /usr/sbin/named
    PID 6234(/proc/6234): not in readdir output
    PID 6234: not in ps output
    CWD 6234: /
    EXE 6234: /usr/sbin/named
    PID 6235(/proc/6235): not in readdir output
    PID 6235: not in ps output
    CWD 6235: /
    EXE 6235: /usr/sbin/named
    You have 4 process hidden for readdir command
    You have 4 process hidden for ps command



    I am an not yet completely versed in Linux Admin yet, so I was hoping that someone could shed some light on this for me and let me know whether or not I am really infected here. and IF SO, how to get rid of them.


    thank you, I appreciate any help very much!

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Depending on the os you are using, you may be using a NPTL enabled operating system, which this is a common thing to see, because chkrootkit does not take posix threads into account.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •