Chkrootkit: The tty of the following user process(es) were not found
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Chkrootkit: The tty of the following user process(es) were not found
I have a problem with my linux server recently (Ubuntu 16.04). IT was running Zimbra email server, and I have problems sending emails due to overused or overutilized internet connection. I stopped the squid proxy server and the apache server to make sure only the zimbra server that utilizes the internet.
Thank you for any insights.
Code:
Chkrootkit result:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/mods-enabled/.gitignore /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/vhosts.d/.keep_www-servers_apache-2 /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/modules.d/.keep_www-servers_apache-2 /lib/modules/4.4.0-124-generic/vdso/.build-id /lib/modules/4.4.0-121-generic/vdso/.build-id /lib/modules/4.4.0-122-generic/vdso/.build-id
/lib/modules/4.4.0-124-generic/vdso/.build-id /lib/modules/4.4.0-121-generic/vdso/.build-id /lib/modules/4.4.0-122-generic/vdso/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
ens160: PACKET SNIFFER(/usr/sbin/dhcpd[1457])
ens192: not promisc and no packet sniffer sockets
ens224: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! or,continuation,webapp,setuid 0 l,jmx,resources,websocket,ext,plusor,continuation,webapp,setuid jetty.home=/opt/zimbra/common/jetty_home jetty.base=/opt/zimbra/mailboxd /opt/zimbra/mailboxd/etc/jetty.xml
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Last edited by unSpawn; 05-27-2018 at 04:50 AM.
Reason: //Next time please use code tags for slabs of text
I have problems sending emails due to overused or overutilized internet connection.
"Over-utilized" in what way? Legitimate traffic, spam or worse? You did investigate before making changes, yes?
Quote:
Originally Posted by allan_registos
Code:
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/python3/dist-packages/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/mods-enabled/.gitignore /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/vhosts.d/.keep_www-servers_apache-2 /usr/lib/python3/dist-packages/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/modules.d/.keep_www-servers_apache-2 /lib/modules/4.4.0-124-generic/vdso/.build-id /lib/modules/4.4.0-121-generic/vdso/.build-id /lib/modules/4.4.0-122-generic/vdso/.build-id
/lib/modules/4.4.0-124-generic/vdso/.build-id /lib/modules/4.4.0-121-generic/vdso/.build-id /lib/modules/4.4.0-122-generic/vdso/.build-id
AFAIK this result is based on keyword search. Use the integrity verification your OS offers to verify those packages / files are legitimate.
Quote:
Originally Posted by allan_registos
Code:
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
This is based on binary output. List ('ls -alt;') the SSH daemon package contents with their respective change times. Run Chkrootkit again but in expert mode to see the results to be able to verify this is not a false positive. Use the integrity verification your OS offers to verify the SSH daemon package is legitimate. If the integrity of the SSH daemon package can not be verified by any other means (like using a previously installed HIDS like Samhain, AIDE or even tripwire or by downloading and comparing the package contents) then be aware changing any of those files requires root rights (meaning a potential root compromise).
Quote:
Originally Posted by allan_registos
Code:
Checking `bindshell'... INFECTED (PORTS: 465)
Listening processes on ports below 1024 should be restricted to / "protected by" root. Check which process runs on the port with the "modern" 'ss -t -l '( sport = :465 )';' or the tried-n-true 'lsof -n -i TCP:465;' or 'fuser -v 465/tcp;' or the kludgy 'netstat -n -l | grep 465;'.
Quote:
Originally Posted by allan_registos
Code:
ens160: PACKET SNIFFER(/usr/sbin/dhcpd[1457])
Commonly DHCP daemon listening in "raw" mode, meaning most likely well known false positive. Use the integrity verification your OS offers to verify those packages / files are legitimate anyway.
Quote:
Originally Posted by allan_registos
Code:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! or,continuation,webapp,setuid 0 l,jmx,resources,websocket,ext,plusor,continuation,webapp,setuid jetty.home=/opt/zimbra/common/jetty_home jetty.base=/opt/zimbra/mailboxd /opt/zimbra/mailboxd/etc/jetty.xml
Search LQ (or the IntarWebs) and you'll find "The tty of the following user process(es) were not found" message was dealt with a gazillion times over, for example: https://www.linuxquestions.org/quest...2/#post4931954
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
