Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yesterday I installed version 0.43 of 'chkrootkit', and when I run it for the first time I got this output:
Checking `lkm'...
You have 1 process hidden for readdir comman
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
However, all subsequent runs of 'chkrootkit' -done immediately after and from then on at several intervals- didn't show that warning anymore. I also compiled another instance of the program in other directory and it didn't find anything ("Checking `lkm'... nothing detected").
After that, I verified some system binaries ('ps', 'ls' and many others) with rpm -V and the output showed that they hadn't changed (at least according to 'rpm').
Then I compared the file 'System.map' with the kernel syscall table by means of the program 'kern_check', and no inconsistencies were found.
Googling around I also found references stating that LKM detection on 'chkrootkit 0.43' is sometimes prone to false positives, and even the FAQ of the program indicates that some processes could report false detections in some cases.
In view of all this, can I assume that this has been a false positive, or is there room for suspicion?
In view of all this, can I assume that this has been a false positive, or is there room for suspicion?
There's always room for suspicion, depends on how far you wanna go :-]
Basically, yes, you could regard it as a false positive, the Chkrootkit FAQ says it all, like you already found. Best advice I can give is to save a copy of the rpm database to readonly media after installing the OS for usage just like this. Besides that rpm doesn't track other type of installs, so use a filesystem integrity checker after installing the OS and save a copy of the binary and databases to readonly media. If you are really really suspicious about a certain situation, power off the box and use something like Knoppix, FIRE or PSK. Then almost nothing can get in the way of you achieving near perfect results. *If you would argue it's bad to power down a production server, ask yourself what will cost you (or the company) the most in the end: a compromised server caught early or mopping up a year after, loosing customer confidence etc etc.
I think I'm not going to reinstall this time, as it seems like a false positive. All subsequents runs of 'chkrootkit' done since then didn't find anything related to LKM, and all the other checks I did (rpm -V, 'kern_check', etc) did not show anything abnormal. As for file integrity verification, I use 'mtree' and it didn't find any prove of files alteration either. I also have Knoppix, though I haven't used it yet.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.