08-05-2010, 05:05 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Aug 2004
Posts: 50
|
|
Possible LKM Trojan installed
I got the following warnings from chkrootkit.
Is there any way of checking if I've been hacked or if it's just a false positive?
Thanks
Checking `lkm'... You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp !
! RUID PID TTY CMD
! root 3797 tty3 /sbin/mingetty tty3
! root 3799 tty4 /sbin/mingetty tty4
! root 3808 tty5 /sbin/mingetty tty5
! root 3810 tty6 /sbin/mingetty tty6
! root 27588 pts/3 /bin/bash
|
08-06-2010, 12:34 AM
|
|
Platinum quality
|
|
Join Date: Jul 2005
Location: New Jersey, US
Posts: 1,299
|
|
These are usually false alarms, but you need to thoroughly check the system to be sure. Scan with rkhunter for a deeper check for viruses/trojans and if everything is clean, then this should be fine.
__________________
 PlatinumServerManagement (also known as PSM)
The OLDEST and LARGEST server management provider in the USA, with 15+ employees and growing!
Providing quality support for OVER 14 years! Currently supporting over 3,000 servers monthly!
www.PlatinumServerManagement.com Proud member of the NJ BBB & Chamber of Commerce, and Authorized Cpanel Partner. |
08-06-2010, 12:42 AM
|
|
I like ice cream
|
|
Join Date: Mar 2003
Location: California USA
Posts: 11,633
|
|
You can try running with
to get more info.
|
08-06-2010, 06:00 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Aug 2004
Posts: 50
|
|
Thanks for your help, the process was there for a couple of days but now it's gone so hopefully it was a false positive.
RKhunter also showed nothing.
I'd like to be able to run the chkrootkit -x lkm in case it shows up again but it's coming up as command not found.
I know it's installed on the server because I get the report sent via email daily.
Any ideas?
|
08-11-2010, 05:54 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Aug 2004
Posts: 50
|
|
Those hidden process are back again.
Here is the output of chkrootkit -x lkm
I have no idea what this means, can you let me know if there is anything suspicious here?
Thanks
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 3
###
CWD 1746: /
EXE 1746: /sbin/auditd
CWD 1748: /
EXE 1748: /sbin/audispd
CWD 2023: /
EXE 2023: /usr/sbin/automount
CWD 2024: /
EXE 2024: /usr/sbin/automount
CWD 2027: /
EXE 2027: /usr/sbin/automount
CWD 2030: /
EXE 2030: /usr/sbin/automount
CWD 2154: /var/lib/mysql
EXE 2154: /usr/sbin/mysqld
CWD 2155: /var/lib/mysql
EXE 2155: /usr/sbin/mysqld
CWD 2156: /var/lib/mysql
EXE 2156: /usr/sbin/mysqld
CWD 2157: /var/lib/mysql
EXE 2157: /usr/sbin/mysqld
CWD 2984: /var/lib/mysql
EXE 2984: /usr/sbin/mysqld
CWD 2985: /var/lib/mysql
EXE 2985: /usr/sbin/mysqld
CWD 3017: /var/lib/mysql
EXE 3017: /usr/sbin/mysqld
CWD 3038: /var/lib/mysql
EXE 3038: /usr/sbin/mysqld
CWD 10260: /var/lib/mysql
EXE 10260: /usr/sbin/mysqld
CWD 21544: /var/named
EXE 21544: /usr/sbin/named
CWD 21545: /var/named
EXE 21545: /usr/sbin/named
CWD 21546: /var/named
EXE 21546: /usr/sbin/named
CWD 21547: /var/named
EXE 21547: /usr/sbin/named
|
08-11-2010, 10:28 AM
|
|
I like ice cream
|
|
Join Date: Mar 2003
Location: California USA
Posts: 11,633
|
|
Nothing to worry about. That is Native POSIX Thread Library (NPTL) coming into play.
|
08-13-2010, 07:25 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Aug 2004
Posts: 50
|
|
|
08-20-2010, 06:10 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Aug 2004
Posts: 50
|
|
Sorry to keep resurrecting this thread but I found more info on the hidden processes.
These keep coming and going
### Output of: ./chkproc -v -v -p 3
###
CWD 1746: /
EXE 1746: /sbin/auditd
CWD 1748: /
EXE 1748: /sbin/audispd
CWD 2023: /
EXE 2023: /usr/sbin/automount
CWD 2024: /
EXE 2024: /usr/sbin/automount
CWD 2027: /
EXE 2027: /usr/sbin/automount
CWD 2030: /
EXE 2030: /usr/sbin/automount
CWD 2154: /var/lib/mysql
EXE 2154: /usr/sbin/mysqld
CWD 2155: /var/lib/mysql
EXE 2155: /usr/sbin/mysqld
CWD 2156: /var/lib/mysql
EXE 2156: /usr/sbin/mysqld
CWD 2157: /var/lib/mysql
EXE 2157: /usr/sbin/mysqld
CWD 2984: /var/lib/mysql
EXE 2984: /usr/sbin/mysqld
CWD 2985: /var/lib/mysql
EXE 2985: /usr/sbin/mysqld
CWD 3017: /var/lib/mysql
EXE 3017: /usr/sbin/mysqld
CWD 3038: /var/lib/mysql
EXE 3038: /usr/sbin/mysqld
CWD 20931: /var/lib/mysql
EXE 20931: /usr/sbin/mysqld
CWD 21544: /var/named
EXE 21544: /usr/sbin/named
CWD 21545: /var/named
EXE 21545: /usr/sbin/named
CWD 21546: /var/named
EXE 21546: /usr/sbin/named
CWD 21547: /var/named
EXE 21547: /usr/sbin/named
PID 26366(/proc/26366): not in readdir output
PID 26366: not in ps output
CWD 26366: /var/lib/mysql
EXE 26366: /usr/sbin/mysqld
PID 26367(/proc/26367): not in readdir output
PID 26367: not in ps output
CWD 26367: /var/lib/mysql
EXE 26367: /usr/sbin/mysqld
You have 2 process hidden for readdir command
You have 2 process hidden for ps command
Any idea how to track down what these are?
|
08-20-2010, 08:39 AM
|
|
WHT Addict
|
|
Join Date: Jun 2010
Location: Connecticut
Posts: 128
|
|
Without logging into your server and digging deeper, these appear like false alarms, which is not uncommon with chkrootkit. Unless you have some other suspicious activity happening on the server, I wouldn't lose much sleep over it.
__________________
█ OLM.net - Web Hosting Solutions @ Your Service
█ Multihomed TIER-1 Network | 24/7 On-site Staff
█ IPv6 Now Available! | Dedicated, Virtual, and Shared Hosting
█ Hosting in Connecticut Since 1996 - 1-800-741-6813
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
