Re: Re: chkrootkit reporting possible LKM trojan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




Compare with the result of this:
http://www.security-projects.com/?Unhide and tell us.



Leonardo Vilela Pinheiro wrote:
> On 12/22/06, Leonardo Vilela Pinheiro <leopinheiro@xxxxxxxxx> wrote:
>> How can I be sure if it is LKM or not?
>>
>> Today I've run chkrootkit and it gave me:
>>
>> Checking `lkm'... You have   179 process hidden for readdir command
>> You have   179 process hidden for ps command
>> chkproc: Warning: Possible LKM Trojan installed
>>
>> Checking `chkutmp'...  The tty of the following user process(es) were
>> not found
>>  in /var/run/utmp !
>> ! RUID          PID TTY    CMD
>> ! root         3206 tty1   /sbin/mingetty tty1
>> ! root         3285 tty2   /sbin/mingetty tty2
>> ! root         3337 tty3   /sbin/mingetty tty3
>> ! root         3388 tty4   /sbin/mingetty tty4
>> ! root         3439 tty5   /sbin/mingetty tty5
>>
>> Those hidden tty can be "su -" sessions that I have just started. The
>> computer has just been restarted, and I have just opened those su
>> sessions.
>>
>> There are also some "hidden files", all of them named .packlist and
>> .exists. Everything else is fine.
>>
>> rkhunter looks fine.
>>
>> " rpm -Va kernel* " looks fine.
>>
>> Remote users access are being controlled through /etc/ssh/sshd_config
>> in a user-host fashion.
>>
>> Thanks in advance.
>>
>> -- 
>> Vilela
>>
>
> It is a Centos 4.4 box.
>


-- 



Lorenzo Martínez Rodríguez
Consultor de seguridad informática
 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux