chkrootkit warning of lkm trojan

provkitir · 10-13-2004, 05:18 PM

hi

i run a debian sarge with kernel 2.6.7, tightly firewalled with firestarter, softwares mostly apt-got except for a maybe-questionable maple 9 for linux

, and recently installed chkrootkit to check the integrity of my box. everything was fine except a warning that read:

Checking `lkm'... You have 7 process hidden for readdir command
You have 7 process hidden for ps command
Warning: Possible LKM Trojan installed

okay, first of all, could someone enlighten me with how to see what hidden processes are goin on and how to get rid of them? i checked 'memstat' and nothing out of the ordinary was there. second of all, how bad are lkm trojans if one do have them? third and last, is it possible to get rid of lkm trojans, if so, how?

thanks. the whole reason i threw my m$ out the window was because of viruses, i don't want to deal with any kind of unclean box. ps, i'm also somewhat pushed for space.. so i'd really prefer to not install anything [runnin out of harddrive

]

thanks a bunch!

jschiwal · 10-13-2004, 06:00 PM

Here is a message from someone with the same surprise.
http://www.webservertalk.com/archive...-9-390056.html

A couple of the responces:

ROOTDIR is `/'
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
[root@spare chkrootkit-0.44]# ./chkproc -v
PID 1250: not in ps output
PID 1251: not in ps output
PID 1252: not in ps output
PID 1253: not in ps output
You have 4 process hidden for ps command

and then given the PID numbers
cd /proc/1250/ && cat cmdline
And get an idea of at least what the program says it is.

Another poster suggested that the 'clamav' program will cause this false
alarm.
Perhaps you could (after disconnected from the netork) stop the clamav program ( disable service? ) and reboot and then run the chkrootkit again.

Also, google for information on the LKM Trojan to find out how to detect it manually.

Does debian have the equivalent of rpm --verify --package <PACKAGE_FILE> command to verify whether or not files have been changed?
your files against the source packages. Verifying the coreutills

--

p.s. Here is a webpage article on checking for root kits by scanning ports and using chkrootkit.
http://www.start-linux.com/articles/article_91.php

Capt_Caveman · 10-13-2004, 06:03 PM

Run the chkrootkit helper app: chkproc -v

That should give you a list of the hidden processes ID numbers. You can then look them up in /proc by their PID number.

False positives are not uncommon in chkrootkit. If a short-lived process terminates between the output of ps can be compared to /proc then it will report a hidden process.

That being said, if you actually do have an lkm rootkit installed, then you'll have to wipe the system, do a full reformat and reinstall from trusted media. You should also consider any other OS's on that system to be compromised as well. Once your system's security has been compromised, it can be extremely difficult to identify any other changes to the system (ie hidden backdoors, added users, secondary rootkits etc), so re-installing is the only real option.

provkitir · 10-13-2004, 06:39 PM

thank you very much!

i found out that those were just firefox locales. so there's no worries

thanks again!

dimgr · 10-14-2004, 02:38 AM

it is a bug
use rkhunter instead

grey_moon · 10-20-2004, 06:17 AM

Make sure you have the latest version of chkrootkit or it will spit out false positives...