Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Found this in chkrootkit (nothing in rkhunter).
Is this another false positive?
Quote:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Quote:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3187 tty6 /sbin/mingetty tty6
! RSTART 24942 r(filename, - 1);? } else {? filename_no_gz = filename;? }? match(filename_no_gz, "/[^/]+$");? progname = substr(filename, RSTART + 1, RLENGTH - 1);? if (match(progname, "\\." section "[A-Za-z]+")) {? actual_section = substr(progna! da? 16232 | $2 ~ /^NUME/ || # ro? $2 ~ /^BEZEICHNUNG/ || # de? $2 ~ /^NOMBRE/ || # es? $2 ~ /^NIMI/ || # fi? $2 ~ /^NOM/ || # fr? $2 ~ /^IME/ || # sh?chkutmp: nothing deleted
That does indeed look suspicious. Did you check that chkrootkit's results were correct? And depending on how paranoid about security you have to be: proceed with caution. A few more details about the machine's role, etc. will help us determine how to proceed.
That does indeed look suspicious. Did you check that chkrootkit's results were correct? And depending on how paranoid about security you have to be: proceed with caution. A few more details about the machine's role, etc. will help us determine how to proceed.
Regards,
Alunduil
Not sure how to check if they are correct?
Do I just rerun it?
I basically only use the machine as a proxy server although I did recently open up the OpenVPN port but have not fully finished installing OpenVPN.
I just reran chkrootkit and the same results were not there - all clear.
Quote:
Checking `lkm'... chkproc: nothing detected
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3187 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted
Nothing has turned up in rkhunter at all - all clear.
The virtual consoles (accesses via ctl+f?) are usually associated with a tty. The details of this are in /etc/inittab (unless you're on Ubuntu, they moved that configuration around).
It's the nature of rootkit hunters and what they search for that cause the false positives. I've always been a firm believer in forensic tools combined with knowing your system by watching a statistical tool such as cacti.
TTY is a communication layer between the system and the use, as simplest and best to my knowledge. You can find more information on it on this site which I may say is very technical.
What time does chkrootkit run and what time does cron run? Does cron run the chkrootkit? If so, I'm willing to bet that chkrootkit is finding it's own parent and saying it's a break-in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
