chkrootkit false alarm?

Mogh · 09-07-2004, 08:46 AM

Hi, I am bit new to using chkrootkit and it found 16 hidden processes from ps and says possible LKM trojan installed on all three of my RH 8.0 bind/apache server systems.

Is it normal for named, mysql and nautulis to do this, therefore assuming false positive? When I shut down named and mysql the message no longer appears. There is no lastlog file since I deleted it many months ago but assumed it would have rebuilt by now but guess I needed to create the file first in order for it to rebuild again.

ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 1
###
PID 767: not in ps output
CWD 767: /var/lib/mysql
EXE 767: /usr/sbin/mysqld
PID 768: not in ps output
CWD 768: /var/lib/mysql
EXE 768: /usr/sbin/mysqld
PID 769: not in ps output
CWD 769: /var/lib/mysql
EXE 769: /usr/sbin/mysqld
PID 770: not in ps output
CWD 770: /var/lib/mysql
EXE 770: /usr/sbin/mysqld
PID 771: not in ps output
CWD 771: /var/lib/mysql
EXE 771: /usr/sbin/mysqld
PID 787: not in ps output
CWD 787: /var/lib/mysql
EXE 787: /usr/sbin/mysqld
PID 788: not in ps output
CWD 788: /var/lib/mysql
EXE 788: /usr/sbin/mysqld
PID 789: not in ps output
CWD 789: /var/lib/mysql
EXE 789: /usr/sbin/mysqld
PID 790: not in ps output
CWD 790: /var/lib/mysql
EXE 790: /usr/sbin/mysqld
PID 806: not in ps output
CWD 806: /var/named
EXE 806: /usr/sbin/named
PID 807: not in ps output
CWD 807: /var/named
EXE 807: /usr/sbin/named
PID 808: not in ps output
CWD 808: /var/named
EXE 808: /usr/sbin/named
PID 809: not in ps output
CWD 809: /var/named
EXE 809: /usr/sbin/named
PID 12756: not in ps output
CWD 12756: /root
EXE 12756: /usr/bin/nautilus
PID 12757: not in ps output
CWD 12757: /root
EXE 12757: /usr/bin/nautilus
PID 12758: not in ps output
CWD 12758: /root
EXE 12758: /usr/bin/nautilus
You have 16 process hidden for ps command

moonloader · 09-07-2004, 11:25 AM

you are using RH,if you were using Fedora Core,I would recomend you to check this link below

http://www.redhat.com/archives/fedor.../msg01586.html

jc materi · 09-07-2004, 01:46 PM

I have been using chkrootkit for over a year and I suspect it is prone to false positives. On the last one I could not find why it was saying 'last root user not logged in or deleted' (or something like that). Since I could not track down the source of the problem I gave chkrootkit the benefit of the doubt and re-installed which took over a day since the server configuration was quite complicated.

However, I made the decision to discontinue the use of chkrootkit and now use rkhunter which you can download from http://www.rkhunter.org/ . chkrootkit might be alright but I got tired of re-installing what I *strongly suspected* were perfectly fine non-comprimised servers.

In any case, get rkhunter and run the scan. I run it as a cron job nightly like this.

/usr/local/bin/rkhunter -c --cronjob --skip-keypress > <some file>

Probably the commands --cronjob and --skip-keypress are redundant but hey!

Of course, to run it as a cronjob you must also do the appropriate crontab stuff.

unSpawn · 09-07-2004, 03:15 PM

I have been using chkrootkit for over a year and I suspect it is prone to false positives.
Any checking done based on static locations, strings, signals, checksums etc, etc has it's limits.
And just like setting network restrictions is a triplet: (X)inetd or daemon config, Libwrap and firewall (and, not or), as far as basic checking is concerned Chkrootkit and Rootkit Hunter complement eachother but really should be used *after* properly hardening the system (start with mount FSes readonly, chattr dirs immutable) and setting up a filesystem integrity checker like Aide, Samhain, (Osiris, Integrit), tripwire.
Check out the LQ FAQ: Security references.