Hey
I need a bit of help before i completly freak out
I'm having a cronjob doing my chkrootkit every night at 3 o'clock, at the same time rkhunter is running (jsut changed chkrootkit to 4 o'clock) and here's the problem.
Reports that i get to my emails from rkhunter and chkrootkit are a bit different. Chkrootkit detect "Possible LKM Trojan installed" and rkhunter is all clean.
only warning i get from chkrootkit is this:
Quote:
Checking `lkm'... You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
|
Running chkrootkit manually, the result is different:
Quote:
Checking `lkm'... chkproc: nothing detected
|
Running: 'chkrootkit -x lkm' gives me:
Code:
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 3
###
CWD 3681: /var/cache/bind
EXE 3681: /usr/sbin/named
CWD 3682: /var/cache/bind
EXE 3682: /usr/sbin/named
CWD 3683: /var/cache/bind
EXE 3683: /usr/sbin/named
I am running Debian, kernel 2.6.16-2-686.
Firewall installed and running as is hardware firewall.
Server is running apache, dns, exim, ftp, mysql,..
SSH is limited to my IP only, no root login allowed..
no weird connections from netstat -tap
Do i have my Bind 'infected' or is this false-positive? Any ideas to what to look at to see if this is false-positive or real deal?
Any help would be appreciated!