hacked or false positives?

**elleryjh** · 01-17-2005 06:20 PM

Can someone please help me read the output from chkrootkit and Scan for Trojans? Thanks in advance!

From chkrootkit:
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'...
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

From WHM's Scan for Trojan Horses:
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/bin/podchecker
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/dbiprof
Possible Trojan - /usr/bin/sa-learn
Possible Trojan - /usr/bin/spamassassin
Possible Trojan - /usr/bin/spamc
Possible Trojan - /usr/bin/spamd
11 POSSIBLE Trojans Detected

**sawbuck** · 01-17-2005 09:57 PM

Most likely all false positives. Grab rkhunter and check the (more reliable) output from it.
http://www.rootkit.nl/

**dr2web** · 03-07-2005 12:30 PM

Just in case anyone reads this... I had the exact same problem from chkrootkit...

I installed rkhunter and it was indeed a false positive...

Install rkhunter it is alot cleaner and more accurate.

**Aric1** · 03-07-2005 02:17 PM

And updated more often, which is important in such a tool.

Don't forget to "show the love" to the author by buying him something on his Amazon wishlist. He's a good guy and very responsive.

LinkBack

Thread Tools

hacked or false positives?

New high rate of false positives in Mailscanner?

assp, mailscanner, ... false positives?

% of false positives for default spamassassin implementation?

False Positives in "Quick Security" and "Trojan Horse" Scan

anti-spam - is no 'false positives' achievable?