CHKROOTKIT suspicious files (newbie)

L

Lammypie

Member
Sep 10, 2006
9
0
151
I recently bought a VPS (virtuozzo & cpanel whm)but left it enabled with no firewall etc for a few days, (very newbie) while I figured out and researched the basics.

I'm now trying to secure it.

I've just installed CHKROOTKIT (chkrootkit.org) and I'm getting a lot of entries which cause me concern, and I need some expert advice on what they are, ie are they bad, or just routine, what do I need to do to fix it?

I thought everything should return 'nothing found', or 'not infected'
but 'searching for suspicious files and dirs' returns this huge quantity of entries

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Digest/SHA/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Digest/SHA1/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Digest/HMAC/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/IO/Stringy/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/IO/Socket/SSL/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/IO/Tee/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/IO/Tty/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/IO/Interactive/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/IO/Stty/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Mail/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Mail/SpamAssassin/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/MIME-tools/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/Daemon/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/LDAP/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/IP/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/DNS/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/AIM/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Net/OSCAR/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/RPC/PlServer/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Convert/ASN1/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Convert/BER/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Authen/SASL/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/SAX/Base/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/SAX/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/RegExp/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/XSLT/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/NamespaceSupport/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML/Simple/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/DBI/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/DBI/Shell/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/DBD/Multiplex/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/DBD/mysql/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Text/Reform/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Text/Query/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Text/CSV_XS/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/MIME/Lite/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/URI/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/HTML/Tagset/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/HTML/Parser/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/HTML/FillInForm/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/HTML/Clean/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/HTML/SimpleParse/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/HTML/Template/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/LWP/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Parse/RecDescent/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/OLE/Storage_Lite/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Image/Size/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Image/Button/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Image/ButtonMaker/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Safe/Hole/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Tie/ShadowHash/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Tie/IxHash/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Tie/Watch/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Set/Crontab/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Spreadsheet/ParseExcel/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Spreadsheet/WriteExcel/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/MLDBM/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/MLDBM/Sync/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Devel/Symdump/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Persistent/Base/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Persistent/DBI/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Persistent/MySQL/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Crypt/Blowfish_PP/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Crypt/CBC/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Crypt/DES/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Crypt/SSLeay/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/libxml-perl/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/XML-DOM/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Curses/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Curses/UI/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Data/ShowTable/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/GD/Graph3d/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/SQL/Statement/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/version/vpp/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Apache/Admin/Config/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/BSD/Resource/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Business/OnlinePayment/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Business/OnlinePayment/AuthorizeNet/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Business/UPS/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/TimeDate/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Expect/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/File/Copy/Recursive/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/File/Tail/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Filesys/Statvfs/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Geo/IPfree/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/MD5/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/PNGgraph/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Quota/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Readonly/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/SOAP/Lite/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/SVG/TT/Graph/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/String/CRC32/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Sys/Hostname/Long/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Tree/MultiNode/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Unix/PID/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/RRDp/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/RRDs/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/mytop/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Class/Std/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/Class/Std/Utils/.packlist /usr/lib/perl5/site_perl/5.8.7/x86_64-linux/auto/ExtUtils/CBuilder/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/Cwd/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/File/Temp/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/List/Util/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/MIME/Base64/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/Storable/.packlist /usr/lib/perl5/5.8.7/x86_64-li nux/auto/Time/HiRes/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/CPAN/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/CGI/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/auto/ExtUtils/ParseXS/.packlist /usr/lib/perl5/5.8.7/x86_64-linux/.packlist /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.filemap /usr/lib/php/.lock /usr/lib/php/.depdblock /usr/lib/php/.depdb /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
Click to expand...
Does this mean all of the fiels above are suspicious?

The next one is
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Click to expand...
Thanks in advance

Chris
 
chirpy

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
All false positives.

The hidden processes/LKM messages are almost always false-positives:

The LKM appear whenever "hidden" processes are found. They're usually processes that have started between the different checks that chkrootkit runs while processing. Usually, they're named mysql httpd or exim processes. You can get more information about which processes are being caught using:

cd /root/chkrootkit-0.*
./chkrootkit -x lkm

When you run it you will probably find that it returns anything from none to several processes.
 
mctDarren

mctDarren

Well-Known Member
Jan 6, 2004
666
4
168
New Jersey
cPanel Access Level
Root Administrator
Just as an addition to Chirpy's post, those packlist files are just leftovers from Perl modules that have been installed. They're safely ignored for the most part. Same with the PHP related files. Also, the Bindshell alert is common on cPanel machines and can also be ignored for the most part.

What you'll find is that you will get used to seeing the same things in the report all the time, then when something is amiss it will jump right out at you - one of those "hmmm, that's new!" moments. :D
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
000 chkrootkit last version 2007 Ups... General Discussion 0
verdon Tweaking chkrootkit General Discussion 1
J /bin/sh: /root/chkrootkit-0.46a/chkrootkit: Permission denied General Discussion 2
sh4ka ifconfig INFECTED! chkrootkit report, help please General Discussion 6
isputra Chkrootkit:Checking `chkutmp'... The tty of the following user process(es) were not General Discussion 2
Similar threads
chkrootkit last version 2007 Ups...
Tweaking chkrootkit
/bin/sh: /root/chkrootkit-0.46a/chkrootkit: Permission denied
ifconfig INFECTED! chkrootkit report, help please
Chkrootkit:Checking `chkutmp'... The tty of the following user process(es) were not
Top Bottom