Possible LKM Trojan install kernel 2.6.0

This is on Redhat 9.0

I'm looking for some guidance as to determine if I have a problem or false alarm.
I download the kernel 2.6.0 from kernel.org. Verified the gpg signature for both the kernel and mod-utils package.

Every thing works fine, but when I run chkrootkit I get the following:

Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 6 process hidden for readdir command
You have 6 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... Checking `w55808'... not infected

After reading about what the problem might be, I tried to query the /bin/ls file using rpm tool.
For some reason it was telling me my db was not accessible and the file didn't not belong to a package.
I rebooted the system in rescue mode and force installed the coreutilits package.
I booted to the original kernel 2.4.20 and ran chkrootkit again. With the original kernel the LKM warning did not show up, but when I booted into 2.6.0 I have the same message.

Anyone else having the same problem?

Just tried it on my 2.6.0, didn't find a thing.

Quote:

Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted

Checking `lkm'... You have 6 process hidden for readdir command
This message comes from the chkproc binary.

Code:

]$ grep -a readdir /usr/local/sbin/chkproc 
/proc/%dPID %5d: not in readdir output
You have % 5d process hidden for readdir command

Chkproc checks "ps" output with process dirs in /proc.
Some processes are shortlived and die before chkproc can check 'em.
Then chkproc shows an error.

If you want to doublecheck, you could rerun Chkrootkit with the "lkm" test, or run "check_ps". If there's a secondary indication (from running a filesystem integrity scanner for instance) that indicates tampering, then you could be looking at a Linux Kernel Module (LKM). Isolating the box from the network by dropping to runlevel 1 and then checking syscall diversion (kern_check: see Samhain site) could be one option, but hard powering off the box, booting a kernel from a rescue cdr/floppy and then checking the filesystem (in read-only mode) is better. Granted, you loose checking active processes, but if there's malicious activity chances to find it are "better" on a dead system because then system calls can't be redirected.


After reading about what the problem might be, I tried to query the /bin/ls file using rpm tool.
For some reason it was telling me my db was not accessible and the file didn't not belong to a package. I rebooted the system in rescue mode and force installed the coreutilits package.
With all due respect, but reinstall until it works, that's "MICROS~1" behaviour.
Besides that, if there's a system compromise you most likely do not want to delete "evidence": kill the system, then check.


"Just tried it on my 2.6.0, didn't find a thing."
Wrt errors there's always two distinctly different issues to focus on: troubleshooting Chkrootkit and its binaries, and determining system status. If you don't know what to contribute an error to, please be cautious. It's "better" to have to check and know system status is OK than to ignore it.

Thanks for the reply. I've been trying to compile checkps, but no luck so far. I haven't tried Samhain package,but will get to it soon. I tried to manually compare the output from the ps command to that of the /proc dir. With the exception of two processess that exits, everything else matches up.

My next step is to recompile the kernel to see if I get the same results.

Well, I have downloaded and compiled kernel 2.6.0 about 3 times again. I get the same LKM warning when running chkrootkit under kernel 2.6.0. Again, no warning under 2.4.20. I've downloaded and install Samhain. Hopefully, this will make a difference if there is a problem. Thanks again for the info.

Could you run "strace -v -o /tmp/chkproc.strace chkproc 2>&1|tee /tmp/chkproc.log" on the 2.6.0, zap your hostname from the logs, and email me both files (as a tarball plz)?

i think you should get the ps precompiled binaries and socklist and netstat from a clean machine .. and i guess you should check if you are running samba ... as far as i know that's the only vuln in rh9 to get root ...

I had the same messages.

Code:

Warning: Possible LKM Trojan installed

so i checked some arrount the system.

Code:

uname -r
2.6.35.9-64.fc14.x86_64

Code:

sudo rm /dev/shm/*

the were some mono files whit my hostname in it my uname in it and the word fileshare
so than i remove them
when mono pops-up to reinstall its plugin i accept.

because rkrootkid did not say anything.

so checked again whit chkrootkit version 0.49
messages gone

Code:

Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found

Please don't resurrect dead threads (this one's been dead for almost seven years).

Help us keep LQSEC as zombie-free as possible.