LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-16-2019, 10:14 AM   #16
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,524
Blog Entries: 2

Rep: Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645

For LKM, see https://askubuntu.com/questions/5878...ble-klm-trojan

Yes, the packet sniffer is a false positive.
 
Old 04-16-2019, 10:37 AM   #17
Seniark
LQ Newbie
 
Registered: Mar 2019
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by hydrurga View Post
For LKM, see https://askubuntu.com/questions/5878...ble-klm-trojan

Yes, the packet sniffer is a false positive.


Rkhunter reported the LKM trojan as well a few minutes ago, but now when I run it again it doesn't report it anymore. Is that a cause for concern?


How can I determine the exact process and application that chkrootkit thought was suspicious? When I type "./chkproc -v" it says "bash: ./chkproc: No such file or directory".

Last edited by Seniark; 04-16-2019 at 10:40 AM.
 
Old 04-16-2019, 10:46 AM   #18
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,524
Blog Entries: 2

Rep: Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645
Quote:
Originally Posted by Seniark View Post
Rkhunter reported the LKM trojan as well a few minutes ago, but now when I run it again it doesn't report it anymore. Is that a cause for concern?

How can I determine the exact process and application that chkrootkit thought was suspicious? When I type "./chkproc -v" it says "bash: ./chkproc: No such file or directory".
I have no idea, to be honest, whether or not that is a cause for concern.

You have to be in the chkrootkit directory (where you installed chkrootkit) for that command to work. When I run it, it lists quite a number of processes though so I don't know how useful it will be for you.

Some general reading: https://www.dedoimedo.com/computers/...m-warning.html
 
Old 04-16-2019, 11:02 AM   #19
Seniark
LQ Newbie
 
Registered: Mar 2019
Posts: 16

Original Poster
Rep: Reputation: Disabled
Ok, I got something concrete this time.

This is the output of chkproc:

Code:
[email protected]:/usr/lib/chkrootkit$ ./chkproc -v
PID 21961(/proc/21961): not in readdir output
PID 21961: not in ps output
PID 21962(/proc/21962): not in readdir output
PID 21962: not in ps output
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
and then...

Code:
[email protected]:/proc/21961$ cd /proc/21961/ && cat cmdline
/opt/Wire/wire-desktop --type=renderer --no-sandbox --enable-features=SharedArrayBuffer --disable-gpu-compositing --service-pipe-token=5018331470343674612 --lang=en-US --app-path=/opt/Wire/resources/app --node-integration=false --webview-tag=true --no-sandbox --preload=/opt/Wire/resources/app/renderer/static/webview-preload.js --background-color=#fff --guest-instance-id=2 --enable-blink-features --disable-blink-features --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5018331470343674612 --renderer-client-id=8 --shared-files=v8_context_snapshot_data:100,v8_natives_data:[email protected]:/proc/21961$ 
[email protected]:/proc/21961$ cd /proc/21962/ && cat cmdline
bash: cd: /proc/21962/: No such file or directory
Wire is a chat client I downloaded from wire.com, and it's not suspicious. I suppose the second process terminated before I could see what it was.

So I suppose there's not much cause for concern. I wonder why chkrootkit is more likely to report that alarm when snap is installed, though.

Thanks a lot, man. I really appreciate the help on this forum from everyone.
 
Old 04-16-2019, 12:24 PM   #20
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,308
Blog Entries: 8

Rep: Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935
Quote:
Originally Posted by Seniark View Post
As far as I remember, I had these packages installed using snapd:

https://snapcraft.io/odio
https://snapcraft.io/somafm-qt
somafm-qt looks harmless enough, just compiling it myself now.
nevertheless, it could be communicating with soma.fm somehow.

odio - not so much. i could not find the sourcecode anywhere. it could be doing all kinds of datamining on your system and transmitting that to the maintainer.

additionally, i do not really trust snappy, who knows in what ways it phones home.
 
Old 04-16-2019, 12:41 PM   #21
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,524
Blog Entries: 2

Rep: Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645Reputation: 2645
Quote:
Originally Posted by Seniark View Post
Ok, I got something concrete this time.

This is the output of chkproc:

Code:
[email protected]:/usr/lib/chkrootkit$ ./chkproc -v
PID 21961(/proc/21961): not in readdir output
PID 21961: not in ps output
PID 21962(/proc/21962): not in readdir output
PID 21962: not in ps output
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
and then...

Wire is a chat client I downloaded from wire.com, and it's not suspicious. I suppose the second process terminated before I could see what it was.

So I suppose there's not much cause for concern. I wonder why chkrootkit is more likely to report that alarm when snap is installed, though.

Thanks a lot, man. I really appreciate the help on this forum from everyone.
Looks like you got your culprit.
 
Old 04-16-2019, 01:35 PM   #22
Seniark
LQ Newbie
 
Registered: Mar 2019
Posts: 16

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
somafm-qt looks harmless enough, just compiling it myself now.
nevertheless, it could be communicating with soma.fm somehow.

odio - not so much. i could not find the sourcecode anywhere. it could be doing all kinds of datamining on your system and transmitting that to the maintainer.

additionally, i do not really trust snappy, who knows in what ways it phones home.

I forgot to mention yesterday that I also had Opentyrian installled via snap.

https://snapcraft.io/opentyrian

I've now uninstalled snapd (sudo apt remove snapd), but not every one of its individual applications. Chkrootkit doesn't report LKM trojan for the time being.
 
Old 04-17-2019, 12:38 AM   #23
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,308
Blog Entries: 8

Rep: Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935
i don't understand ubuntu's obsession with snappy.
opentyrian is available in the repos of both major distributions i am using, one of them debian - so very likely also in ubuntu's repos.
Quote:
Originally Posted by Seniark View Post
I've now uninstalled snapd (sudo apt remove snapd), but not every one of its individual applications.
to my understanding that means that the individual packages cannot be active anymore now - but how are you going to uninstall them now?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] chkrootkit bindshell INFECTED PORT 4369 masuch Linux - Security 5 02-28-2012 10:58 AM
chkrootkit Checking `bindshell'... INFECTED (PORTS: 600) gavin2u Linux - Security 5 10-26-2011 06:51 AM
chkrootkit found an infected port qwertyjjj Linux - Newbie 13 08-16-2009 07:58 AM
465 Infected Ports. How reliable is chkroot? xbaez Linux - Security 1 01-12-2005 09:29 PM
chkrootkit problem (port 465 infected) myguest Linux - Security 1 09-30-2004 07:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration