Chkrootkit output

Dan

Moderator
#1
Hello all,

I ran chkrootkit today and found a couple of things a bit curious. I've looked around and it looks like they may be ok but I thought I'd see if anyone else is having the same results.

Code:
Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... You have    90 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed
Now the bindshell is a false positive as that is Exim's tls but the 90 hidden processes for readdir command is a bit troubling.

The last couple lines of the output of ./chkproc -v -v are
Code:
PID 32607(/proc/32607): not in getpriority readdir output
You have    89 process hidden for readdir command
although when I try to ls /proc/32607 the folder doesn't even exist so needless to say I am more than a bit confused here.
 
#2
That's not really what I'd call English, so I'm not sure what it's even supposed to mean. Does it give you any names for these "process" or just a tally?
 

Dan

Moderator
#3
Morning Khiltd,

What you see is what it gives me and it looks like "readdir" is the command they're talking about doesn't it?
 
#4
Well readdir is a C function, which also exists in PHP and Perl, not a command, so I have no idea. Doesn't seem like a very well put together script, so I'd probably look at what it actually does before assuming its output was meaningful in any way.
 

Dan

Moderator
#5
I hear you khiltd. Chkrootkit is simply one of those things that's recommended to run every now and then. I have rkhunter run via daily cron too which has also been giving me errors since their latest update as well.

I posted even though I thought this may be a false positive caused by running chkrootkit in a VPS environment in the hopes that someone else that uses chkrootkit could confirm the same results.

Better safe than sorry I would think
 
Top