[CentOS] chkrootkit reporting possible LKM trojan

Fri Dec 22 10:02:41 UTC 2006
Leonardo Vilela Pinheiro <leopinheiro at gmail.com>

How can I be sure if it is LKM or not?

Today I've run chkrootkit and it gave me:

Checking `lkm'... You have   179 process hidden for readdir command
You have   179 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3206 tty1   /sbin/mingetty tty1
! root         3285 tty2   /sbin/mingetty tty2
! root         3337 tty3   /sbin/mingetty tty3
! root         3388 tty4   /sbin/mingetty tty4
! root         3439 tty5   /sbin/mingetty tty5

Those hidden tty can be "su -" sessions that I have just started. The
computer has just been restarted, and I have just opened those su
sessions.

There are also some "hidden files", all of them named .packlist and
.exists. Everything else is fine.

rkhunter looks fine.

" rpm -Va kernel* " looks fine.

Remote users access are being controlled through /etc/ssh/sshd_config
in a user-host fashion.

Thanks in advance.

-- 
Vilela