The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

chkrootkit - lkm -mysql

Discussion in 'General Discussion' started by oderland, Nov 3, 2004.

  1. oderland

    oderland Well-Known Member
    PartnerNOC

    Joined:
    Dec 30, 2002
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Kungsbacka, Sweden
    Hi

    We have several servers there chkrootkit says
    Checking `lkm'... You have 26 process hidden for ps command
    Warning: Possible LKM Trojan installed

    rkhunter is going without warnings

    chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v -p 1
    ###

    PID 2611: not in ps output
    CWD 2611: /var/named
    EXE 2611: /usr/sbin/named
    PID 2612: not in ps output
    CWD 2612: /var/named
    EXE 2612: /usr/sbin/named
    PID 2613: not in ps output
    CWD 2613: /var/named
    EXE 2613: /usr/sbin/named
    PID 2614: not in ps output
    CWD 2614: /var/named
    EXE 2614: /usr/sbin/named
    PID 2615: not in ps output
    CWD 2615: /var/named
    EXE 2615: /usr/sbin/named
    PID 2871: not in ps output
    CWD 2871: /var/lib/mysql
    EXE 2871: /usr/sbin/mysqld
    PID 2872: not in ps output
    CWD 2872: /var/lib/mysql
    EXE 2872: /usr/sbin/mysqld
    PID 2873: not in ps output
    CWD 2873: /var/lib/mysql
    EXE 2873: /usr/sbin/mysqld
    PID 2874: not in ps output
    CWD 2874: /var/lib/mysql
    EXE 2874: /usr/sbin/mysqld
    PID 2875: not in ps output
    CWD 2875: /var/lib/mysql
    EXE 2875: /usr/sbin/mysqld
    PID 2876: not in ps output
    CWD 2876: /var/lib/mysql
    EXE 2876: /usr/sbin/mysqld
    PID 2877: not in ps output
    CWD 2877: /var/lib/mysql
    EXE 2877: /usr/sbin/mysqld
    PID 2878: not in ps output
    CWD 2878: /var/lib/mysql
    EXE 2878: /usr/sbin/mysqld
    PID 2879: not in ps output
    CWD 2879: /var/lib/mysql
    EXE 2879: /usr/sbin/mysqld
    PID 8993: not in ps output
    CWD 8993: /var/lib/mysql
    EXE 8993: /usr/sbin/mysqld
    PID 18047: not in ps output
    CWD 18047: /var/lib/mysql
    EXE 18047: /usr/sbin/mysqld
    PID 18266: not in ps output
    CWD 18266: /var/lib/mysql
    EXE 18266: /usr/sbin/mysqld
    PID 20600: not in ps output
    CWD 20600: /usr/local/cpanel/var/run/stunnel
    EXE 20600: /usr/bin/stunnel-4.04local
    PID 23596: not in ps output
    CWD 23596: /var/lib/mysql
    EXE 23596: /usr/sbin/mysqld
    PID 23847: not in ps output
    CWD 23847: /var/lib/mysql
    EXE 23847: /usr/sbin/mysqld
    PID 24005: not in ps output
    CWD 24005: /var/lib/mysql
    EXE 24005: /usr/sbin/mysqld
    PID 24013: not in ps output
    CWD 24013: /var/lib/mysql
    EXE 24013: /usr/sbin/mysqld
    PID 24620: not in ps output
    CWD 24620: /var/lib/mysql
    EXE 24620: /usr/sbin/mysqld
    PID 24628: not in ps output
    CWD 24628: /var/lib/mysql
    EXE 24628: /usr/sbin/mysqld
    PID 25253: not in ps output
    CWD 25253: /var/lib/mysql
    EXE 25253: /usr/sbin/mysqld
    PID 25492: not in ps output
    CWD 25492: /var/lib/mysql
    EXE 25492: /usr/sbin/mysqld
    You have 26 process hidden for ps command


    what to do, it sound lika false warning to me... :confused:
     
  2. oderland

    oderland Well-Known Member
    PartnerNOC

    Joined:
    Dec 30, 2002
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Kungsbacka, Sweden
    stoped mysql and run chkrootkit again. No problems chowing up anymore.
    I supposed it was some hung processes? Anyone that have more info about that?

    :rolleyes:
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'm finding more and more that the LKM detection part of chkrootkit is quite unreliable unless there are other issues that it or rkhunter complain about. I've seen what you have with several apps, including MySQL, MailScanner, Exim. Chkrootkit hidden process checking can only be so effective as the speed at which it runs as the difference in snapshot between the comparible sources of process information have to be detected sequentially and there's always potential for discrepancies, especially with defunct, zombie, or fast spawning processes.

    Without more evidence of problems, I'd personally ignore it, but be aware of it ;)
     

Share This Page