You are not logged in.
Pages: 1
Topic closed
Hi,
On a fresh install of arch i686 chkrootkit reports
checking lkm ... chkproc: nothing detected
-37 /usr/share
-2 /usr/bin
-1 /usr/sbin
-8 /lib
chkdirs: Warning: Possible LKM Trojan installedThis is a minimal testing system (btrfs, systemd, pacman 4, etc...) running in KVM. Meanwhile, on the arch x86_64 host (ext4 root), chkdirs is clean.
According to chkdirs.c, this program simply reports the link count discrepancy, and I suspect it fails because of btrfs... Is there any way to see which files exactly it complains about?
Thanks.
EDIT: Also, in the testing system rkhunter is clean, but I'm not sure if it poerforms exactly same checks...
Last edited by Leonid.I (2011-09-10 23:10:55)
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
On a btrfs filesystem the test 'lkm' of chkrootkit will always be positive (consequently it is not useful to detect a possible rootkit: it is at least a false positive but possibly a true positive) because st_nlink’s value on directories is always 1, on the contrary of other filesystems. The value indicated by chkdirs is always -(1+numberOfSubDirectories) on a btrfs filesystem.
See this discussion (the referenced patch was rejected, but I did not dive to understand exactly what it was) as well as the note in conclusion of this blog post.
Offline
I reported the issue to the author, Nelson, and he fixed it in version 0.54 released on 2020-12-24.
Offline
Thanks for the contribution, but this topic is very old and the OP has not been back since 2019.
Closing.
Offline
Pages: 1
Topic closed