The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

chkrootkit reports a warning

Discussion in 'cPanel Developers' started by station, Aug 6, 2004.

  1. station

    station Member

    Joined:
    Jul 21, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I'm not sure if this is a problem and /or what I should do if it is.
    Code:
    Checking `bindshell'... INFECTED (PORTS:  465)
    Checking `lkm'... You have     3 process hidden for readdir command
    You have     3 process hidden for ps command
    Warning: Possible LKM Trojan installed
    Checking `rexedcs'... not found
    Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
    eth0:1: not promisc and no PF_PACKET sockets
    the Warning: Possible LKM Trojan installed is my main concern, anyone know how to proceed in this situation?
    TIA :cool:
     
  2. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    can't help with the other ones, but I'm fairly sure 'INFECTED (PORTS: 465)' is a false positive and that the ports are used by Exim
     
  3. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Don't quote me, but I had a false alarm once. It was due to an old chkrootkit script not being able to identify newer rpms (or something like that--found it on Google). Using the latest chkrootkit showed nothing. So I don't know whether this is good advice or not, but try using a later version of chkrootkit and see if it still detects anything. If it doesn't then you're probably okay.
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    465 is a known false positive. LKM can show up if you are running MailScanner and chkrootkit just happens to scan at the same time MS runs. Better altwernative for us has been to use rkhunter. http://www.rootkit.nl/ Better reporting and fewer false positives.
    HTH
     
  5. station

    station Member

    Joined:
    Jul 21, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Thanx all, false possitive!

    Wow so many replies in such a short time, Thanx all I do understand that it is a false possitive resulting from the mailscanner.
    I am using rkhunter as well as chkrootkit and they are both up to date, instlled this past week.:D

    I also wondered if anyone would know what `rexedcs' is and why is it being looked for?
     

Share This Page