You are not logged in.

#1 2011-09-10 23:09:05

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

chkrootkit's chkdir reports possible LKM trojan installed

Hi,

On a fresh install of arch i686 chkrootkit reports

checking   lkm ... chkproc: nothing detected
-37          /usr/share
-2            /usr/bin
-1            /usr/sbin
-8            /lib
chkdirs: Warning: Possible LKM Trojan installed

This is a minimal testing system (btrfs, systemd, pacman 4, etc...) running in KVM. Meanwhile, on the arch x86_64 host (ext4 root), chkdirs is clean.

According to chkdirs.c, this program simply reports the link count discrepancy, and I suspect it fails because of btrfs... Is there any way to see which files exactly it complains about?

Thanks.

EDIT: Also, in the testing system rkhunter is clean, but I'm not sure if it poerforms exactly same checks...

Last edited by Leonid.I (2011-09-10 23:10:55)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#2 2020-12-07 11:01:09

Seb35
Member
Registered: 2020-12-07
Posts: 2

Re: chkrootkit's chkdir reports possible LKM trojan installed

On a btrfs filesystem the test 'lkm' of chkrootkit will always be positive (consequently it is not useful to detect a possible rootkit: it is at least a false positive but possibly a true positive) because st_nlink’s value on directories is always 1, on the contrary of other filesystems. The value indicated by chkdirs is always -(1+numberOfSubDirectories) on a btrfs filesystem.

See this discussion (the referenced patch was rejected, but I did not dive to understand exactly what it was) as well as the note in conclusion of this blog post.

Offline

#3 2022-03-26 11:43:56

Seb35
Member
Registered: 2020-12-07
Posts: 2

Re: chkrootkit's chkdir reports possible LKM trojan installed

I reported the issue to the author, Nelson, and he fixed it in version 0.54 released on 2020-12-24.

Offline

#4 2022-03-26 12:18:13

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 3,977

Re: chkrootkit's chkdir reports possible LKM trojan installed

Thanks for the contribution, but this topic is very old and the OP has not been back since 2019.

Closing.


How to post. A sincere effort to use modest and proper language and grammar is a sign of respect toward the community.

Offline

Board footer

Powered by FluxBB