The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LKM False?

Discussion in 'General Discussion' started by internethosting, Jan 7, 2004.

  1. internethosting

    internethosting Well-Known Member

    Joined:
    Aug 18, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I would just like to get feedback from all of you wonderful people.

    Yesterday, for the first time, I got the following message using Chkrootkit (0.43)

    Checking `lkm'... You have 1 process hidden for readdir command
    You have 1 process hidden for ps command
    Warning: Possible LKM Trojan installed

    I ran chkrootkit in 10 times in a row again, and didn't get the same response. Finally, about the 15th time, I got it again.

    I tried the following command:
    [~/chkrootkit-0.43]# ./chkproc

    And Received nothing.

    Then, about the 10th time I ran the command, I got this:

    You have 1 process hidden for readdir command
    You have 1 process hidden for ps command


    The same happens run I run:

    ./chkrootkit -x lkm

    Most of the time it comes up clear, but every so often, it will display a possible hidden process or two. Usually /sbin/exim and /var/exim/spool as hidden processes. It will never come up with the error twice in a two. I have to run it dozens of times to get the error.


    Does this look normal?


    I know about a lot of the false alarms when using cpanel, but this I have never seen before, but looking over some of the forums on the net, seems people with different configurations see this from time to time.

    Just slightly worried,

    Thanks
    Tim -
     
  2. denisdekat09

    denisdekat09 Well-Known Member

    Joined:
    Mar 2, 2002
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Francisco
    I got smae thing then I tried this:

    root@server00 [/usr/local/chkrootkit]# ./chkproc -v -v
    PID 31095: not in readdir output
    PID 31095: not in ps output
    CWD 31095: /usr/local/cpanel
    EXE 31095: /usr/local/cpanel/bin/cppop
    You have 1 process hidden for readdir command
    You have 1 process hidden for ps command
    root@server00 [/usr/local/chkrootkit]#

    First time this happpens :(

    I am not sure what I should do, should I upgrade pop server?


    UPDATE, restarting pop server cleared it, strange...

    Still makes me suspicious...
     
    #2 denisdekat09, Feb 2, 2004
    Last edited: Feb 2, 2004
Loading...
Similar Threads - LKM False
  1. sahostking
    Replies:
    2
    Views:
    861

Share This Page