[CentOS] Re: chkrootkit reporting possible LKM trojan
Lorenzo Martínez Rodríguez
Lawwait at yahoo.es
Fri Dec 22 10:09:46 UTC 2006
Compare with the result of this:
http://www.security-projects.com/?Unhide and tell us.
Leonardo Vilela Pinheiro wrote:
> On 12/22/06, Leonardo Vilela Pinheiro <leopinheiro at gmail.com> wrote:
>> How can I be sure if it is LKM or not?
>>
>> Today I've run chkrootkit and it gave me:
>>
>> Checking `lkm'... You have 179 process hidden for readdir command
>> You have 179 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
>>
>> Checking `chkutmp'... The tty of the following user process(es) were
>> not found
>> in /var/run/utmp !
>> ! RUID PID TTY CMD
>> ! root 3206 tty1 /sbin/mingetty tty1
>> ! root 3285 tty2 /sbin/mingetty tty2
>> ! root 3337 tty3 /sbin/mingetty tty3
>> ! root 3388 tty4 /sbin/mingetty tty4
>> ! root 3439 tty5 /sbin/mingetty tty5
>>
>> Those hidden tty can be "su -" sessions that I have just started. The
>> computer has just been restarted, and I have just opened those su
>> sessions.
>>
>> There are also some "hidden files", all of them named .packlist and
>> .exists. Everything else is fine.
>>
>> rkhunter looks fine.
>>
>> " rpm -Va kernel* " looks fine.
>>
>> Remote users access are being controlled through /etc/ssh/sshd_config
>> in a user-host fashion.
>>
>> Thanks in advance.
>>
>> --
>> Vilela
>>
>
> It is a Centos 4.4 box.
>
--
Lorenzo Martínez Rodríguez
Consultor de seguridad informática
More information about the CentOS
mailing list