|
From: | Javier Fernandez-Sanguino |
Subject: | Re: [Tiger-user] Where to find more info about some trojan.. |
Date: | Tue, 15 Nov 2005 15:25:46 +0100 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 |
Robert Lindgren wrote:
Hi all, I got this warining from tigercron:NEW: --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit installationNEW: Warning: Possible LKM Trojan installedBut I'm not able to find any more info about what chkrootkit thinks is a rootkit anywhere, nothing in /var/log/tiger, and running manually chkrootkit doesn't find the trojan either.So what to do?
This is probably a spurious error that only happens when the 'check_rootkit' script is run. The relevant 'chkrootkit' code is:
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 | $awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 2; else print 1 }'`
(...) if ./chkproc -p ${PV} thenif [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
else echo "chkproc: Warning: Possible LKM Trojan installed" fiIf you run that manually (chkproc is probably under /usr/lib/chkrootkit) and don't get any result (check out $? or run with '-v') then it's a false positive. You can filter these out through tiger.ignore (or just disable the check_rootkit module or run it less frequently, your call).
Googling for "Possible LKM Trojan installed false positive chkrootkit" it looks like this is quite common if using a 2.6 kernel or if you have some shortlive process (i.e. they are there when chkproc starts but are not any longer when it compares the process listing)
Regards Javier
[Prev in Thread] | Current Thread | [Next in Thread] |