[CentOS] Re: chkrootkit reporting possible LKM trojan

Lorenzo Martínez Rodríguez Lawwait at yahoo.es
Fri Dec 22 10:09:46 UTC 2006



Compare with the result of this:
http://www.security-projects.com/?Unhide and tell us.



Leonardo Vilela Pinheiro wrote:
> On 12/22/06, Leonardo Vilela Pinheiro <leopinheiro at gmail.com> wrote:
>> How can I be sure if it is LKM or not?
>>
>> Today I've run chkrootkit and it gave me:
>>
>> Checking `lkm'... You have   179 process hidden for readdir command
>> You have   179 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
>>
>> Checking `chkutmp'...  The tty of the following user process(es) were
>> not found
>>  in /var/run/utmp !
>> ! RUID          PID TTY    CMD
>> ! root         3206 tty1   /sbin/mingetty tty1
>> ! root         3285 tty2   /sbin/mingetty tty2
>> ! root         3337 tty3   /sbin/mingetty tty3
>> ! root         3388 tty4   /sbin/mingetty tty4
>> ! root         3439 tty5   /sbin/mingetty tty5
>>
>> Those hidden tty can be "su -" sessions that I have just started. The
>> computer has just been restarted, and I have just opened those su
>> sessions.
>>
>> There are also some "hidden files", all of them named .packlist and
>> .exists. Everything else is fine.
>>
>> rkhunter looks fine.
>>
>> " rpm -Va kernel* " looks fine.
>>
>> Remote users access are being controlled through /etc/ssh/sshd_config
>> in a user-host fashion.
>>
>> Thanks in advance.
>>
>> -- 
>> Vilela
>>
>
> It is a Centos 4.4 box.
>


-- 



Lorenzo Martínez Rodríguez
Consultor de seguridad informática
 




More information about the CentOS mailing list