|
chkrootkit false alarm?
Hi, I am bit new to using chkrootkit and it found 16 hidden processes from ps and says possible LKM trojan installed on all three of my RH 8.0 bind/apache server systems.
Is it normal for named, mysql and nautulis to do this, therefore assuming false positive? When I shut down named and mysql the message no longer appears. There is no lastlog file since I deleted it many months ago but assumed it would have rebuilt by now but guess I needed to create the file first in order for it to rebuild again. ROOTDIR is `/' ### ### Output of: ./chkproc -v -v -p 1 ### PID 767: not in ps output CWD 767: /var/lib/mysql EXE 767: /usr/sbin/mysqld PID 768: not in ps output CWD 768: /var/lib/mysql EXE 768: /usr/sbin/mysqld PID 769: not in ps output CWD 769: /var/lib/mysql EXE 769: /usr/sbin/mysqld PID 770: not in ps output CWD 770: /var/lib/mysql EXE 770: /usr/sbin/mysqld PID 771: not in ps output CWD 771: /var/lib/mysql EXE 771: /usr/sbin/mysqld PID 787: not in ps output CWD 787: /var/lib/mysql EXE 787: /usr/sbin/mysqld PID 788: not in ps output CWD 788: /var/lib/mysql EXE 788: /usr/sbin/mysqld PID 789: not in ps output CWD 789: /var/lib/mysql EXE 789: /usr/sbin/mysqld PID 790: not in ps output CWD 790: /var/lib/mysql EXE 790: /usr/sbin/mysqld PID 806: not in ps output CWD 806: /var/named EXE 806: /usr/sbin/named PID 807: not in ps output CWD 807: /var/named EXE 807: /usr/sbin/named PID 808: not in ps output CWD 808: /var/named EXE 808: /usr/sbin/named PID 809: not in ps output CWD 809: /var/named EXE 809: /usr/sbin/named PID 12756: not in ps output CWD 12756: /root EXE 12756: /usr/bin/nautilus PID 12757: not in ps output CWD 12757: /root EXE 12757: /usr/bin/nautilus PID 12758: not in ps output CWD 12758: /root EXE 12758: /usr/bin/nautilus You have 16 process hidden for ps command |
you are using RH,if you were using Fedora Core,I would recomend you to check this link below
http://www.redhat.com/archives/fedor.../msg01586.html |
I have been using chkrootkit for over a year and I suspect it is prone to false positives. On the last one I could not find why it was saying 'last root user not logged in or deleted' (or something like that). Since I could not track down the source of the problem I gave chkrootkit the benefit of the doubt and re-installed which took over a day since the server configuration was quite complicated.
However, I made the decision to discontinue the use of chkrootkit and now use rkhunter which you can download from http://www.rkhunter.org/ . chkrootkit might be alright but I got tired of re-installing what I *strongly suspected* were perfectly fine non-comprimised servers. In any case, get rkhunter and run the scan. I run it as a cron job nightly like this. /usr/local/bin/rkhunter -c --cronjob --skip-keypress > <some file> Probably the commands --cronjob and --skip-keypress are redundant but hey! Of course, to run it as a cronjob you must also do the appropriate crontab stuff. |
I have been using chkrootkit for over a year and I suspect it is prone to false positives.
Any checking done based on static locations, strings, signals, checksums etc, etc has it's limits. And just like setting network restrictions is a triplet: (X)inetd or daemon config, Libwrap and firewall (and, not or), as far as basic checking is concerned Chkrootkit and Rootkit Hunter complement eachother but really should be used *after* properly hardening the system (start with mount FSes readonly, chattr dirs immutable) and setting up a filesystem integrity checker like Aide, Samhain, (Osiris, Integrit), tripwire. Check out the LQ FAQ: Security references. |
| All times are GMT -5. The time now is 07:16 AM. |