Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lkm trojan "hidden process": chkrootkit false alarm?

Discussion in 'General Discussion' started by Valetia, May 27, 2004.

  1. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    213
    Likes Received:
    1
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    This is showing up in a daily chkrootkit report from one of our machines::

    PHP:
    Checking `lkm'... You have 1 process hidden for readdir command 
    You have 1 process hidden for ps command 
    Warning: Possible LKM Trojan installed 
    When you run chkrootkit manually with -x it shows this:

    PHP:
    root@hostname [~/chkrootkit-0.43]# ./chkrootkit -x lkm 
    ROOTDIR is `/' 
    ### 
    ### Output of: ./chkproc -v -v 
    ### 
    8751 is a Linux Thread, marking as such... 
    8752 is a Linux Thread, marking as such... 
    8753 is a Linux Thread, marking as such... 
    8754 is a Linux Thread, marking as such... 
    8755 is a Linux Thread, marking as such... 
    8756 is a Linux Thread, marking as such... 
    11862 is a Linux Thread, marking as such... 
    18724 is a Linux Thread, marking as such... 
    19459 is a Linux Thread, marking as such... 
    root@hostname [~/chkrootkit-0.43]# 
    Running .chkrootkit again repeatedly (without the -x) then shows up no error messages about lkm anymore.

    But running it with -x multiple times still shows those "is a Linux Thread, marking as such..." messages.

    Is this a false alarm?
     
  2. Valetia

    Valetia Well-Known Member

    Joined:
    Jun 20, 2002
    Messages:
    213
    Likes Received:
    1
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    A couple of processes are now different:

    PHP:
    root@hostname [~/chkrootkit-0.43]# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v
    ###
    8751 is a Linux Thread, marking as such...
    8752 is a Linux Thread, marking as such...
    8753 is a Linux Thread, marking as such...
    8754 is a Linux Thread, marking as such...
    8755 is a Linux Thread, marking as such...
    8756 is a Linux Thread, marking as such...
    8333 is a Linux Thread, marking as such...
    11603 is a Linux Thread, marking as such...
    root@hostname [~/chkrootkit-0.43]#
     
  3. tnguy3n

    tnguy3n Member

    Joined:
    Nov 16, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    151
    It seems that I got the same problem. I ran chkrootkit command and it warns "Possible LKM Trojan installed"

    and when I try to run ./chkrootkit -x , and it shows
    How do I know if I really do have LKM installed on my server and how to remove it? Thanks.
     
  4. djmerlyn

    djmerlyn Well-Known Member

    Joined:
    Aug 31, 2004
    Messages:
    201
    Likes Received:
    1
    Trophy Points:
    168
    Maybe you folks could analyze the PID and figure out what the process is that those belong to :confused:

    It's likely to be a false alarm, but if you could identify what the process is that is running from the PID...perhaps people here could provide more info~
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    They are indeed nearly always false-positives. If you're not getting anything else reported, then that's most likely the case. Things like MySQL, Exim and MailScanner will frequently cause that check to trip.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Snover

    Snover Active Member

    Joined:
    Sep 29, 2003
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    156
    You should run Rootkit Hunter. Its LKM scanning is less retarded. Be sure to run rkhunter --update after you first install it to get the latest database files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Solokron

    Solokron Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    850
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Seattle
    cPanel Access Level:
    DataCenter Provider
    Running /chkrootkit -x and outputting to a dump file there is quite the list here. Where can you find the hidden process PIDs in this list? I suspect they are false positives but with this server's history I would rather not take a chance.


     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    You can limit the actual output to the lkm (and hidden process) check using:

    ./chkrootkit -x lkm
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice