Chkrootkit output

Dan

Moderator
Hello all,

I ran chkrootkit today and found a couple of things a bit curious. I've looked around and it looks like they may be ok but I thought I'd see if anyone else is having the same results.

Code:
Checking `bindshell'... INFECTED (PORTS:  465)
Checking `lkm'... You have    90 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

Now the bindshell is a false positive as that is Exim's tls but the 90 hidden processes for readdir command is a bit troubling.

The last couple lines of the output of ./chkproc -v -v are
Code:
PID 32607(/proc/32607): not in getpriority readdir output
You have    89 process hidden for readdir command
although when I try to ls /proc/32607 the folder doesn't even exist so needless to say I am more than a bit confused here.
 
That's not really what I'd call English, so I'm not sure what it's even supposed to mean. Does it give you any names for these "process" or just a tally?
 
Morning Khiltd,

What you see is what it gives me and it looks like "readdir" is the command they're talking about doesn't it?
 
Well readdir is a C function, which also exists in PHP and Perl, not a command, so I have no idea. Doesn't seem like a very well put together script, so I'd probably look at what it actually does before assuming its output was meaningful in any way.
 
I hear you khiltd. Chkrootkit is simply one of those things that's recommended to run every now and then. I have rkhunter run via daily cron too which has also been giving me errors since their latest update as well.

I posted even though I thought this may be a false positive caused by running chkrootkit in a VPS environment in the hopes that someone else that uses chkrootkit could confirm the same results.

Better safe than sorry I would think
 
Top