Re: [Tiger-user] Where to find more info about some trojan..

[Javier Fernandez-Sanguino]

Robert Lindgren wrote:

> Hi all,
>
> I got this warining from tigercron:
> NEW: --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit 
> installation
> NEW: Warning: Possible LKM Trojan installed
>
> But I'm not able to find any more info about what chkrootkit thinks is a 
> rootkit anywhere, nothing in /var/log/tiger, and running manually chkrootkit 
> doesn't find the trojan either.
>
> So what to do?

This is probably a spurious error that only happens when the 
'check_rootkit' script is run. The relevant 'chkrootkit' code is:

      PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 | $awk -F . '{ print 
$1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 2; else print 1 }'`
(...)
      if ./chkproc -p ${PV}
      then
           if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing 
detected"; fi
      else
       echo "chkproc: Warning: Possible LKM Trojan installed"
      fi

If you run that manually (chkproc is probably under 
/usr/lib/chkrootkit) and don't get any result (check out $? or run 
with '-v') then it's a false positive. You can filter these out 
through tiger.ignore (or just disable the check_rootkit module or run 
it less frequently, your call).

Googling for "Possible LKM Trojan installed false positive chkrootkit" 
it looks like this is quite common if using a 2.6 kernel or if you 
have some shortlive process (i.e. they are there when chkproc starts 
but are not any longer when it compares the process listing)

Regards

Javier