The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lkm trojan "hidden process": chkrootkit false alarm?

Discussion in 'General Discussion' started by Valetia, May 27, 2004.

  1. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    207
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    This is showing up in a daily chkrootkit report from one of our machines::

    PHP:
    Checking `lkm'... You have 1 process hidden for readdir command 
    You have 1 process hidden for ps command 
    Warning: Possible LKM Trojan installed 
    When you run chkrootkit manually with -x it shows this:

    PHP:
    root@hostname [~/chkrootkit-0.43]# ./chkrootkit -x lkm 
    ROOTDIR is `/' 
    ### 
    ### Output of: ./chkproc -v -v 
    ### 
    8751 is a Linux Thread, marking as such... 
    8752 is a Linux Thread, marking as such... 
    8753 is a Linux Thread, marking as such... 
    8754 is a Linux Thread, marking as such... 
    8755 is a Linux Thread, marking as such... 
    8756 is a Linux Thread, marking as such... 
    11862 is a Linux Thread, marking as such... 
    18724 is a Linux Thread, marking as such... 
    19459 is a Linux Thread, marking as such... 
    root@hostname [~/chkrootkit-0.43]# 
    Running .chkrootkit again repeatedly (without the -x) then shows up no error messages about lkm anymore.

    But running it with -x multiple times still shows those "is a Linux Thread, marking as such..." messages.

    Is this a false alarm?
     
  2. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    207
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    A couple of processes are now different:

    PHP:
    root@hostname [~/chkrootkit-0.43]# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v
    ###
    8751 is a Linux Thread, marking as such...
    8752 is a Linux Thread, marking as such...
    8753 is a Linux Thread, marking as such...
    8754 is a Linux Thread, marking as such...
    8755 is a Linux Thread, marking as such...
    8756 is a Linux Thread, marking as such...
    8333 is a Linux Thread, marking as such...
    11603 is a Linux Thread, marking as such...
    root@hostname [~/chkrootkit-0.43]#
     
  3. tnguy3n

    tnguy3n Member

    Joined:
    Nov 16, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    It seems that I got the same problem. I ran chkrootkit command and it warns "Possible LKM Trojan installed"

    and when I try to run ./chkrootkit -x , and it shows
    How do I know if I really do have LKM installed on my server and how to remove it? Thanks.
     
  4. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    203
    Likes Received:
    1
    Trophy Points:
    16
    Maybe you folks could analyze the PID and figure out what the process is that those belong to :confused:

    It's likely to be a false alarm, but if you could identify what the process is that is running from the PID...perhaps people here could provide more info~
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    They are indeed nearly always false-positives. If you're not getting anything else reported, then that's most likely the case. Things like MySQL, Exim and MailScanner will frequently cause that check to trip.
     
  6. Snover

    Snover Active Member

    Joined:
    Sep 29, 2003
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    You should run Rootkit Hunter. Its LKM scanning is less retarded. Be sure to run rkhunter --update after you first install it to get the latest database files.
     
  7. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    849
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Running /chkrootkit -x and outputting to a dump file there is quite the list here. Where can you find the hidden process PIDs in this list? I suspect they are false positives but with this server's history I would rather not take a chance.


     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You can limit the actual output to the lkm (and hidden process) check using:

    ./chkrootkit -x lkm
     

Share This Page