Jukas |
12-01-2005 06:03 PM |
Chkrootkit Alert. Am I actually compromised
I was reviewing my nightly notifications from my linux server this afternoon and I saw the following from chkrootkit
Quote:
/etc/cron.daily/chkrootkit:
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
eth0: PACKET SNIFFER(/usr/sbin/snort[26839])
|
I ran chkrootkit again and it only shows snort. So I than ran -x lkm and got the following.
Quote:
nix:/sbin# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 2
###
CWD 3541: /var/lib/mysql
EXE 3541: /usr/sbin/mysqld
CWD 3542: /var/lib/mysql
EXE 3542: /usr/sbin/mysqld
CWD 3543: /var/lib/mysql
EXE 3543: /usr/sbin/mysqld
CWD 3544: /var/lib/mysql
EXE 3544: /usr/sbin/mysqld
CWD 3547: /var/lib/mysql
EXE 3547: /usr/sbin/mysqld
CWD 3548: /var/lib/mysql
EXE 3548: /usr/sbin/mysqld
CWD 3549: /var/lib/mysql
EXE 3549: /usr/sbin/mysqld
CWD 3550: /var/lib/mysql
EXE 3550: /usr/sbin/mysqld
CWD 3551: /var/lib/mysql
EXE 3551: /usr/sbin/mysqld
|
What's the likelyhood I've actually been compromised and this isn't a false positive? The server is still up and running and I haven't killed any processes. I'm wondering if I shoudn't scratch chkrootkit and install fresh from source and then scan it again?
My reading on google suggests that LKM Trojan can frequently be reported as a false positive so I don't want to jump the gun and do a complete format / reinstall if it's not necessary.
Any advice/suggestions are greatly appreciated!
|