Client Login 
Community 
Contact Us 
LinkBack URL
About LinkBacksI was wondering if anyone could look at the following and tell me what it means by "possible lkm infection"?
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi/auto/mod_perl/.packlist /usr/lib/jvm/java-1.4.2-sun-1.4.2.10/jre/.systemPrefs /usr/lib/jvm/java-1.4.2-sun-1.4.2.10/jre/.systemPrefs/.systemRootModFile /usr/lib/jvm/java-1.4.2-sun-1.4.2.10/jre/.systemPrefs/.system.lock
/usr/lib/jvm/java-1.4.2-sun-1.4.2.10/jre/.systemPrefs
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ****C Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... venet0: not promisc and no PF_PACKET sockets
venet0:0: not promisc and no PF_PACKET sockets
venet0:1: not promisc and no PF_PACKET sockets
venet0:2: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 7925 ttyp0 -bash
! root 17920 ttyp0 ftp
! root 25875 ttyp1 -bash
! root 28212 ttyp1 /bin/sh ./chkrootkit
! root 30570 ttyp1 ./chkutmp
! root 30571 ttyp1 ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted
Welcome to the JaguarPC Community
Results 1 to 2 of 2
This is a discussion on VPS Security in the VPS & Dedicated forum
I was wondering if anyone could look at the following and tell me what it means by "possible lkm infection"?
ROOTDIR is `/'
Checking `amd'... ...
-
06-20-2006, 08:27 AM #1JPC Member
- Join Date
- Jun 2006
- Posts
- 43
VPS Security
-
06-20-2006, 09:33 AM #2Loyal Client
- Join Date
- Aug 2002
- Posts
- 7,312
I googled your error:
http://www.google.com/search?sourcei...n+installed%22
And got the following interesting results:
Nothing to do there, thats a common false positive report from the monitoring scripts. You can safely ignore all port 465 reportsGoogle even found this being discussed on these forums:I installed and ran chkrootkit-0.45. Everything came up "nothing found" except for the following:
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Now, I read somewhere that the "bindshell... INFECTED" is a false positive if Cpanel is installed. Am I understanding this correctly? Also, is the LKM warning something that needs to be fixed or is that probably a false positive as well?
[...]
After reading the Cpanel.net forums, both warnings I received seem to be common false-positives.
[...]
Yeah they are very common and nothing to worry about. I would suggest using rkhunter over chrootkit because it is updated more frequently. Even better just run both
http://www.jaguarpc.com/forums/showthread.php?t=13646
(see post #12) nobody answered that member.... I'll give him a post to this thread!
Reply With Quote
Posting Permissions
Get Social:
Copyright © 2011 JaguarPC.com
Bookmarks