×

My backup server is a RH9.0 intel machine with all the updates. Chkrootkit
0.43 reports everything is OK but I just ran version 0.44 and got a bit of
a surprise:

[root@spare chkrootkit-0.44]# ./chkrootkit lkm
ROOTDIR is `/’
Checking `lkm’… You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
[root@spare chkrootkit-0.44]# ./chkproc -v
PID 1250: not in ps output
PID 1251: not in ps output
PID 1252: not in ps output
PID 1253: not in ps output
You have 4 process hidden for ps command

I’ve checked that ps and libproc.so are unchanged from the original rpm
install.

I’m not sure whether this is a false alarm or not? I’ve unplugged it from
the network and would appreciate any ideas on how to verify if I have a
real problem or not…

(I’d like to avoid the reformat/reinstall from scratch option if possible).


As others have pointed out, it shouldn’t be.

‘chkrootkit’ is a tool that looks for symptoms and signs seen during
previous exploits. It is not (and probably can’t be) foolproof.

If you use it, and the results are negative, it doesn’t mean your
system is “clean”. It only means that the exploits it’s looking for
may not be present.

If you use it, and the results are positive, you need to read exactly
what the tool was looking for, and then research what it’s finding.
Sometimes, it means you are r00ted – sometimes it’s made a mistake.

The tool is only looking at certain things, and is only part of the job
of keeping your system clean. Depending on your threat model (what you
feel you might need to defend against), you might need to be doing a lot
more, up to and possibly including monitoring disk and memory content
from an external system. Depends on how paranoid you want to be.

> (I’d like to avoid the reformat/reinstall from scratch option if possible).

That remains the only safe option, but this doesn’t mean it’s time to do so.

RH9 is unsupported by Red Hat now, though there _MAY_ be some errata
available from download.fedoralegacy.org. At the very least you want to
_scan_ the Bugtraq mailing list. A number of news servers carry a mirror
of this list – look for mailing.unix.bugtraq or muc.lists.bugtraq on your
news server.


Leaving my feelings for chkrootkit aside,
For future reference you could cd /proc/1250/ && cat cmdline
And get an idea of at least what the program says it is.


Happens a lot (google will show you this) with chkrootkit. E.g. if you use
clamav as virus scanner but other progs are known to give this result as
well. Check out rkhunter!
> PID 1250: not in ps output
> PID 1251: not in ps output
> PID 1252: not in ps output
> PID 1253: not in ps output
Leaving my feelings for chkrootkit aside,
For future reference you could cd /proc/1250/ && cat cmdline
And get an idea of at least what the program says it is.