The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help decoding "chkrootkit" scan infos

Discussion in 'Security' started by Astral God, Jan 23, 2012.

  1. Astral God

    Astral God Well-Known Member

    Joined:
    Sep 27, 2010
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Hello.

    When i run:

    Code:
    /root/chkrootkit.sh | grep -v .packlist
    I get these infos:

    Code:
    find: /proc/1052: No such file or directory
    find: /proc/1053: No such file or directory
    
    /var/www/mrtg/tcp.log
    
    /usr/lib/php/.depdb /usr/lib/php/.lock /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.filemap /usr/lib/php/.depdblock /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net
    /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net
    INFECTED (PORTS:  465)
    You have     1 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
    Can anybody help me to "decode" these infos ?
    Thanks.
     
  2. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This:

    Code:
    INFECTED (PORTS:  465)
    is normal on a cPanel server and should be considered a false positive. Port 465 is the port for SMTP with SSL, and it is normal for Exim to listen on it. To confirm that Exim is what is listening on port 465, use netstat and pipe the output to grep:

    Code:
    # netstat -nalp|grep :465
    tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      19985/exim          
    tcp        0      0 :::465                      :::*                        LISTEN      19985/exim          
    #
    These files:

    Code:
    /usr/lib/php/.depdb /usr/lib/php/.lock /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.filemap /usr/lib/php/.depdblock /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net
    /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.doc.php.net
    are part of a normal PHP installation and do exist on my test server:

    Code:
    # ls -alh .channels/
    total 28K
    drwxr-xr-x  3 root root 4.0K May 30  2008 ./
    drwxr-xr-x 16 root root 4.0K Jul 12  2011 ../
    drwxr-xr-x  2 root root 4.0K May 30  2008 .alias/
    -rw-r--r--  1 root root 1.5K May 30  2008 pear.php.net.reg
    -rw-r--r--  1 root root 1.7K Dec 13  2010 pecl.php.net.reg
    -rw-r--r--  1 root root  295 May 30  2008 __uri.reg
    # ls -alh .registry/
    total 208K
    drwxr-xr-x  4 root root 4.0K Mar  5  2010 ./
    drwxr-xr-x 16 root root 4.0K Jul 12  2011 ../
    -rw-r--r--  1 root root  11K Nov  8  2010 archive_tar.reg
    drwxr-xr-x  2 root root 4.0K Oct 27 10:18 .channel.pecl.php.net/
    drwxr-xr-x  2 root root 4.0K May 30  2008 .channel.__uri/
    -rw-r--r--  1 root root 6.7K Jun  6  2011 console_getopt.reg
    -rw-r--r--  1 root root  81K Jul 12  2011 pear.reg
    -rw-r--r--  1 root root  19K Nov  8  2010 structures_graph.reg
    -rw-r--r--  1 root root  31K Sep  6 22:00 xml_rpc.reg
    -rw-r--r--  1 root root  25K Mar  5  2010 xml_util.reg
    #
    chkrootkit, and a similar script, rkhunter, tend to err on the side of giving you too much information instead of too little. They scan for files that they consider to be out of the ordinary, that may be totally innocuous. It is up to you as the server administrator to look at those files and determine if they belong and if they are what the purport to be.

    Two useful commands you can run on files, when deciding if they are legitimate or not, are file and strings. file will simply tell you what kind of file it is:

    Code:
    # file /usr/lib/php/.registry/archive_tar.reg 
    /usr/lib/php/.registry/archive_tar.reg: ASCII C++ program text, with very long lines
    strings will extract the character strings from a file, even a binary file, and show them to you. Just to give you an example, here are some of the strings from the ls binary file:

    Code:
    # strings /usr/bin/strings
    /lib/ld-linux.so.2
    PTRh@
    B<1v
    [^_]
    	tK%
    <[^_]
    t];w
    Y[^_]
    [^_]
    \[^_]
    p[^]
    p[^]
    A	[]
    [^_]
    [^_]
    [^_]
    [^_]
    [^_]
    <[^_]
    ccXX
    XXXX
    0^_]
    [^_]
    %s: 
    %7Lo 
    %7Ld 
    %7Lx 
    Report bugs to %s
    /usr/share/locale
    binutils
    invalid integer argument %s
    strings
    afhHn:ot:e:T:Vv0123456789
    {standard input}
    '%s': No such file
    print-file-name
    bytes
    radix
    encoding
    target
    help
    version
    Very often, but not always, illegitimate files that are part of a hack attempt will contain strings that make it very obvious that they are up to no good. If you use strings on a file and see "b@ckd00r" or "l0l h@ckz0rz" in the output, then you very likely have a hacking-related file. This is not always definite, but strings is a very useful tool when analyzing the output from chkrootkit and rkhunter.
     
  3. Astral God

    Astral God Well-Known Member

    Joined:
    Sep 27, 2010
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Many thanks for this complete answer. :)
     
  4. ANKUR KUMAR

    ANKUR KUMAR Active Member

    Joined:
    Oct 28, 2012
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator


    Thanks for the info. I just tried and fortunately i dont think there is any third party content on our server..

    Is there any way i can ask rootkit scanner to ignore this file so that they dont notify me if the case matches ...
     
Loading...

Share This Page