LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-16-2006, 05:33 AM   #1
TheRudy
Member
 
Registered: Jul 2004
Posts: 40

Rep: Reputation: 15
Possible LKM Trojan installed


Hey

I need a bit of help before i completly freak out

I'm having a cronjob doing my chkrootkit every night at 3 o'clock, at the same time rkhunter is running (jsut changed chkrootkit to 4 o'clock) and here's the problem.

Reports that i get to my emails from rkhunter and chkrootkit are a bit different. Chkrootkit detect "Possible LKM Trojan installed" and rkhunter is all clean.

only warning i get from chkrootkit is this:
Quote:
Checking `lkm'... You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Running chkrootkit manually, the result is different:
Quote:
Checking `lkm'... chkproc: nothing detected
Running: 'chkrootkit -x lkm' gives me:
Code:
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 3
###
CWD  3681: /var/cache/bind
EXE  3681: /usr/sbin/named
CWD  3682: /var/cache/bind
EXE  3682: /usr/sbin/named
CWD  3683: /var/cache/bind
EXE  3683: /usr/sbin/named
I am running Debian, kernel 2.6.16-2-686.
Firewall installed and running as is hardware firewall.
Server is running apache, dns, exim, ftp, mysql,..
SSH is limited to my IP only, no root login allowed..

no weird connections from netstat -tap

Do i have my Bind 'infected' or is this false-positive? Any ideas to what to look at to see if this is false-positive or real deal?

Any help would be appreciated!
 
Old 10-16-2006, 06:07 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Search LQ - Security and you'll find for instance http://www.linuxquestions.org/questi...d.php?t=273943
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible LKM Trojan Installed Tons of Fun Linux - Security 2 11-07-2005 11:50 PM
Possible LKM Trojan installed gnjohn Linux - Security 1 03-14-2005 11:37 PM
possible LKM trojan installed? PennyroyalFrog Linux - Security 15 01-07-2005 02:28 AM
LKM trojan? help! synaptical Linux - Security 3 03-07-2004 08:16 AM
lkm trojan nullpt Linux - Security 3 12-26-2003 07:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration