-
chkrootkit reports 'possible trojan horse' on KN3.4
Fetched chkrootkit ( wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz ) and ran on a newly installed Knopix 3.4 installed to harddisk. Excerped from the output:
...
Checking `bindshell'... not infected
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
...
Should I worry about that?
chkrootkit is a tool to search for backdoor trojans.
Hilsener Henning
-
Could be just a bug with 2.6.x kernel and chkrootkit. Try booting with 2.4.x.
Have you tried: /usr/lib/chkrootkit/chkproc -v -v
Also: netstat -tap |grep LISTEN and nmap localhost. You could try netstat and nmap from another computer if the packages are compromised.
Bugreports for the debian package are in: http://bugs.debian.org/cgi-bin/pkgre...pkg=chkrootkit
PS: I'm not exactly an expert in this.
PS2: Kanotix which I'm running has chkrootkit. If Knoppix 3.4 hasn't you can install it with:
dselect update
apt-get -s install chkrootkit (remove the -s for simulation if the output is ok)
-
Thanks for your in-depth response, your no novice either I have no less than 70! kernel modules in the 2.6.6 kernel at present, to me it seems like Knoppix just loads anything ( intel_agp-module shouldn't be present on an Athlon machine, should it?).
The chkrootkit bug report talks about false positives for LKM's on kernel 2.6.x ( see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246667 )
I'll be back with a comment after a reboot (running 2.6.6 now), but basically this cr*pload of text below says that yp/nis and mozilla processes are hidden. The portscan does, as far as I can tell, not show anything suspicious, I am running YP/NIS.
********DATA FROM THE TESTS*********
. Portscan from other machine:
---
vagten:~# nmap kejseren
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on kejseren.slot (192.168.52.2):
(The 1548 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
68/tcp open dhcpclient
111/tcp open sunrpc
631/tcp open cups
947/tcp open unknown
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
---
Port 947 seems to be yp/nis, host 'kejseren' is a NIS/YP client.
---
root@kejseren:/home/henning# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 944 ypbind
100007 1 udp 944 ypbind
100007 2 tcp 947 ypbind
100007 1 tcp 947 ypbind
---
root@kejseren:/home/henning# netstat -tap |grep LISTEN
tcp 0 0 *:bootpc *:* LISTEN 1356/pump
tcp 0 0 *:sunrpc *:* LISTEN 1360/portmap
tcp 0 0 *11 *:* LISTEN 2171/X
tcp 0 0 *:947 *:* LISTEN 2038/ypbind
tcp 0 0 *:ipp *:* LISTEN 2089/cupsd
tcp6 0 0 *:ssh *:* LISTEN 2118/sshd
PID 2039: not in readdir output
PID 2039: not in ps output
CWD 2039: /var/yp/binding
EXE 2039: /usr/sbin/ypbind
PID 2040: not in readdir output
PID 2040: not in ps output
CWD 2040: /var/yp/binding
EXE 2040: /usr/sbin/ypbind
PID 2284: not in readdir output
PID 2284: not in ps output
CWD 2284: /home/henning
EXE 2284: /usr/lib/mozilla/mozilla-bin
PID 2287: not in readdir output
PID 2287: not in ps output
CWD 2287: /home/henning
EXE 2287: /usr/lib/mozilla/mozilla-bin
PID 2825: not in readdir output
PID 2825: not in ps output
CWD 2825: /home/henning
EXE 2825: /usr/lib/mozilla/mozilla-bin
PID 2886: not in readdir output
PID 2886: not in ps output
CWD 2886: /home/henning
EXE 2886: /usr/lib/mozilla/mozilla-bin
You have 6 process hidden for readdir command
You have 6 process hidden for ps command
-
Sure! Knoppix 3.4 kernel 2.4.x reports everything ok. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=246667 talks about this exactly being related to the 2.6.x kernel somehow. I'll say we'll declare it a bug in chkrootkit and no trojan. Thanks a lot.
-
For once I'm sure you're glad you've stumbled onto a bug!
If you want to be sure you could always download clean packages from debian to replace ones hidden from the ps-tree, check the md5sum on them, install over old packages and run chkrootkit. If the problem persists it's bound to be the bug.
But AFAIK your machine is clean.
Similar Threads
-
By rumburak in forum General Support
Replies: 1
Last Post: 01-16-2005, 01:37 AM
-
By Rick G. in forum General Support
Replies: 16
Last Post: 01-05-2005, 06:03 AM
-
By Cuddles in forum General Support
Replies: 13
Last Post: 04-04-2004, 10:30 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
iMac 24 Green 2021 3.2GHz M1 8-Core CPU/GPU 8GB 512GB SSD - Excellent w/ Bundle
$899.99
Dell 9020 Optiplex Micro-Intel Core i5 - 1TB SSD 8GB RAM Window 11
$119.49
iMac 27 5K Apple Desktop 2019/2020 3.6Ghz 8-Core i9 4TB SSD Fusion 64GB RAM
$1499.00
2020/2022 Apple iMac 5K 27" 3.8GHz 8-Core i7/ 64GB RAM / 1TB SSD / Nano Texture
$1795.00
NEW OEM Tray AMD Ryzen 7 5700X 8-Core 16-Thread 3.4GHz Socket AM4 CPU Processor
$139.00
Intel Core i9-12900KF - 12th Gen Alder Lake 16-Core (8P+8E) 3.2GHz LGA CPU
$262.99
Intel Core i7-13700K - 13th Gen Raptor Lake 16-Core (8P+8E) 3.4GHz LGA 1700 CPU
$314.99
HP EliteDesk 800 G5 mini 8-core i7-9700T 16G RAM 500GB SSD WiFi Win 11 Pro
$250.00
HP Z420 Workstation Xeon E5-2690 2.9ghz 8-Core / 64gb / 4TB SATA / DVD / Win 10
$199.99
Lenovo ThinkCentre M910Q Tiny i5-6500T 8GB RAM NO HDD/SSD Very Nice
$64.95