Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CHKROOTKIT suspicious files (newbie)

Discussion in 'General Discussion' started by Lammypie, Sep 19, 2006.

  1. Lammypie

    Lammypie Member

    Joined:
    Sep 10, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    151
    I recently bought a VPS (virtuozzo & cpanel whm)but left it enabled with no firewall etc for a few days, (very newbie) while I figured out and researched the basics.

    I'm now trying to secure it.

    I've just installed CHKROOTKIT (chkrootkit.org) and I'm getting a lot of entries which cause me concern, and I need some expert advice on what they are, ie are they bad, or just routine, what do I need to do to fix it?

    I thought everything should return 'nothing found', or 'not infected'
    but 'searching for suspicious files and dirs' returns this huge quantity of entries

    Does this mean all of the fiels above are suspicious?

    The next one is
    Thanks in advance

    Chris
     
    #1 Lammypie, Sep 19, 2006
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    All false positives.

    The hidden processes/LKM messages are almost always false-positives:

    The LKM appear whenever "hidden" processes are found. They're usually processes that have started between the different checks that chkrootkit runs while processing. Usually, they're named mysql httpd or exim processes. You can get more information about which processes are being caught using:

    cd /root/chkrootkit-0.*
    ./chkrootkit -x lkm

    When you run it you will probably find that it returns anything from none to several processes.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 chirpy, Sep 19, 2006
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Just as an addition to Chirpy's post, those packlist files are just leftovers from Perl modules that have been installed. They're safely ignored for the most part. Same with the PHP related files. Also, the Bindshell alert is common on cPanel machines and can also be ignored for the most part.

    What you'll find is that you will get used to seeing the same things in the report all the time, then when something is amiss it will jump right out at you - one of those "hmmm, that's new!" moments. :D
     
    #3 mctDarren, Sep 19, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - CHKROOTKIT suspicious files
  1. tym busku

    Question about chkrootkit entry

    tym busku, Jul 2, 2018, in forum: Security
    Replies:
    2
    Views:
    152
    cPanelLauren
    Jul 3, 2018
  2. Eslam Fawzy

    Suspicious File Alert

    Eslam Fawzy, Nov 13, 2018, in forum: Security
    Replies:
    1
    Views:
    119
    cPanelLauren
    Nov 14, 2018
  3. Stichting FreeSpeechTube

    SOLVED Suspicious process running under user

    Stichting FreeSpeechTube, Nov 3, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    188
    cPanelMichael
    Nov 5, 2018
  4. Nirjonadda

    Suspicious File Alert

    Nirjonadda, Oct 30, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    149
    cPanelMichael
    Oct 30, 2018
  5. tui

    SOLVED [CPANEL-23314] CSF Suspicious File Alerts (/tmp/pma_template_compiles) after V76 Update

    tui, Oct 27, 2018, in forum: Security
    Replies:
    8
    Views:
    1,381
    rpvw
    Nov 8, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice