[CentOS] Re: chkrootkit reporting possible LKM trojan
Leonardo Vilela Pinheiro
leopinheiro at gmail.com
Fri Dec 22 10:05:25 UTC 2006
On 12/22/06, Leonardo Vilela Pinheiro <leopinheiro at gmail.com> wrote:
> How can I be sure if it is LKM or not?
>
> Today I've run chkrootkit and it gave me:
>
> Checking `lkm'... You have 179 process hidden for readdir command
> You have 179 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
>
> Checking `chkutmp'... The tty of the following user process(es) were not found
> in /var/run/utmp !
> ! RUID PID TTY CMD
> ! root 3206 tty1 /sbin/mingetty tty1
> ! root 3285 tty2 /sbin/mingetty tty2
> ! root 3337 tty3 /sbin/mingetty tty3
> ! root 3388 tty4 /sbin/mingetty tty4
> ! root 3439 tty5 /sbin/mingetty tty5
>
> Those hidden tty can be "su -" sessions that I have just started. The
> computer has just been restarted, and I have just opened those su
> sessions.
>
> There are also some "hidden files", all of them named .packlist and
> .exists. Everything else is fine.
>
> rkhunter looks fine.
>
> " rpm -Va kernel* " looks fine.
>
> Remote users access are being controlled through /etc/ssh/sshd_config
> in a user-host fashion.
>
> Thanks in advance.
>
> --
> Vilela
>
It is a Centos 4.4 box.
--
Vilela
More information about the CentOS
mailing list