LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   chkrootkit warning (https://www.linuxquestions.org/questions/linux-server-73/chkrootkit-warning-779471/)

qwertyjjj 01-02-2010 06:38 PM
chkrootkit warning
 
Found this in chkrootkit (nothing in rkhunter).
Is this another false positive?

Quote:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Quote:
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3187 tty6 /sbin/mingetty tty6
! RSTART 24942 r(filename, - 1);? } else {? filename_no_gz = filename;? }? match(filename_no_gz, "/[^/]+$");? progname = substr(filename, RSTART + 1, RLENGTH - 1);? if (match(progname, "\\." section "[A-Za-z]+")) {? actual_section = substr(progna! da? 16232 | $2 ~ /^NUME/ || # ro? $2 ~ /^BEZEICHNUNG/ || # de? $2 ~ /^NOMBRE/ || # es? $2 ~ /^NIMI/ || # fi? $2 ~ /^NOM/ || # fr? $2 ~ /^IME/ || # sh?chkutmp: nothing deleted

alunduil 01-03-2010 12:43 PM
That does indeed look suspicious. Did you check that chkrootkit's results were correct? And depending on how paranoid about security you have to be: proceed with caution. A few more details about the machine's role, etc. will help us determine how to proceed.

Regards,

Alunduil

qwertyjjj 01-03-2010 12:46 PM
Quote:
Originally Posted by alunduil (Post 3812712)
That does indeed look suspicious. Did you check that chkrootkit's results were correct? And depending on how paranoid about security you have to be: proceed with caution. A few more details about the machine's role, etc. will help us determine how to proceed.

Regards,

Alunduil
Not sure how to check if they are correct?
Do I just rerun it?
I basically only use the machine as a proxy server although I did recently open up the OpenVPN port but have not fully finished installing OpenVPN.
I just reran chkrootkit and the same results were not there - all clear.
Quote:
Checking `lkm'... chkproc: nothing detected

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3187 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted
Nothing has turned up in rkhunter at all - all clear.

alunduil 01-03-2010 12:50 PM
Are you logged in as root on tty6? If so, then you're probably safe.

Regards,

Alunduil

qwertyjjj 01-03-2010 01:00 PM
Quote:
Originally Posted by alunduil (Post 3812722)
Are you logged in as root on tty6? If so, then you're probably safe.

Regards,

Alunduil
Stupid question but what is TTY? :)
Yes, I was logged in as root when I reran it.

Why does chkrootkit throw up these false positives that disappear every so often? It's almost random.

alunduil 01-03-2010 01:12 PM
The virtual consoles (accesses via ctl+f?) are usually associated with a tty. The details of this are in /etc/inittab (unless you're on Ubuntu, they moved that configuration around).

It's the nature of rootkit hunters and what they search for that cause the false positives. I've always been a firm believer in forensic tools combined with knowing your system by watching a statistical tool such as cacti.

Regards,

Alunduil

EricTRA 01-03-2010 01:22 PM
Hi,

TTY is a communication layer between the system and the use, as simplest and best to my knowledge. You can find more information on it on this site which I may say is very technical.

Kind regards,

Eric

qwertyjjj 01-09-2010 06:02 PM
and another today randomly:

Quote:
Checking `lkm'... You have 2 process hidden for readdir command
You have 2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
tun0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 3187 tty6 /sbin/mingetty tty6
! RSTART 24942 r(filename, - 1);? } else {? filename_no_gz = filename;? }? match(filename_no_gz, "/[^/]+$");? progname = substr(filename, RSTART + 1, RLENGTH - 1);? if (match(progname, "\\." section "[A-Za-z]+")) {? actual_section = substr(progna! da? 16232 | $2 ~ /^NUME/ || # ro? $2 ~ /^BEZEICHNUNG/ || # de? $2 ~ /^NOMBRE/ || # es? $2 ~ /^NIMI/ || # fi? $2 ~ /^NOM/ || # fr? $2 ~ /^IME/ || # sh?chkutmp: nothing deleted

alunduil 01-09-2010 11:46 PM
Which tty do you run X on? Or do you have this as a headless machine? That may cause the spurious tty check fail.

Regards,

Alunduil

qwertyjjj 01-10-2010 03:47 AM
Quote:
Originally Posted by alunduil (Post 3820800)
Which tty do you run X on? Or do you have this as a headless machine? That may cause the spurious tty check fail.

Regards,

Alunduil
What's X?
I'm reading through that TTY site at present but have little idea of what it is really at present.

alunduil 01-10-2010 10:12 AM
X is the GUI (graphical user interface).

Regards,

Alunduil

qwertyjjj 01-10-2010 10:17 AM
Quote:
Originally Posted by alunduil (Post 3821234)
X is the GUI (graphical user interface).

Regards,

Alunduil
Oh...I don;t have a GUI, just the command line.

alunduil 01-10-2010 10:27 AM
Then the question remains as to what processes are running on that tty.

Let's try running the following:

Code:
ps -lxf | gawk '$4 == <pid> {print $n}'
Where <pid> is the PID of the tty returned by chkrootkit.

Regards,

Alunduil

qwertyjjj 01-10-2010 10:30 AM
Quote:
Originally Posted by alunduil (Post 3821249)
Then the question remains as to what processes are running on that tty.

Let's try running the following:

Code:
ps -lxf | gawk '$4 == <pid> {print $n}'
Where <pid> is the PID of the tty returned by chkrootkit.

Regards,

Alunduil
Syntax error somewhere?
Quote:
[root@]# ps -lxf | gawk '$4 == 3187 {print $n}'
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
[root@]# ps -lxf | gawk '$4 == 24942 {print $n}'
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
I reran chkrootkit and nothing appeared. Only worry is whether something is happening when I'm not logged on in the middle of the night perhaps.

alunduil 01-10-2010 11:05 AM
What time does chkrootkit run and what time does cron run? Does cron run the chkrootkit? If so, I'm willing to bet that chkrootkit is finding it's own parent and saying it's a break-in.

Regards,

Alunduil


All times are GMT -5. The time now is 03:55 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page