Chkrootkit output

Discussion in 'Linux VPS/Dedicated - cPanel' started by Dan, Oct 4, 2007.

  1. Dan

    Dan Moderator

    Hello all,

    I ran chkrootkit today and found a couple of things a bit curious. I've looked around and it looks like they may be ok but I thought I'd see if anyone else is having the same results.

    Code:
    Checking `bindshell'... INFECTED (PORTS:  465)
    Checking `lkm'... You have    90 process hidden for readdir command
    chkproc: Warning: Possible LKM Trojan installed
    Now the bindshell is a false positive as that is Exim's tls but the 90 hidden processes for readdir command is a bit troubling.

    The last couple lines of the output of ./chkproc -v -v are
    Code:
    PID 32607(/proc/32607): not in getpriority readdir output
    You have    89 process hidden for readdir command
    although when I try to ls /proc/32607 the folder doesn't even exist so needless to say I am more than a bit confused here.
     
  2. khiltd

    khiltd New Member

    That's not really what I'd call English, so I'm not sure what it's even supposed to mean. Does it give you any names for these "process" or just a tally?
     
  3. Dan

    Dan Moderator

    Morning Khiltd,

    What you see is what it gives me and it looks like "readdir" is the command they're talking about doesn't it?
     
  4. khiltd

    khiltd New Member

    Well readdir is a C function, which also exists in PHP and Perl, not a command, so I have no idea. Doesn't seem like a very well put together script, so I'd probably look at what it actually does before assuming its output was meaningful in any way.
     
  5. Dan

    Dan Moderator

    I hear you khiltd. Chkrootkit is simply one of those things that's recommended to run every now and then. I have rkhunter run via daily cron too which has also been giving me errors since their latest update as well.

    I posted even though I thought this may be a false positive caused by running chkrootkit in a VPS environment in the hopes that someone else that uses chkrootkit could confirm the same results.

    Better safe than sorry I would think
     

Share This Page