You are not logged in.
- Topics: Active | Unanswered
#1 2011-03-16 00:19:57
- jon.wulf
- Member
- Registered: 2009-07-03
- Posts: 40
Chkrootkit - Possible LKM Trojan infection
Sorry to be a bother but I have a quick question. I installed Blackbuntu in Virtualbox to play with and happened to notice an unusual connection to a remote server from the VM. After shutting it down I had a usual bout of paranoia, so I ran chkrootkit... it came back with a result saying I had several hidden processes and a potential LKM Trojan along with the usual
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! jon 9854 tty3 /usr/bin/X -nolisten tcp :0 -auth /tmp/serverauth.ymiB45cvJkresult. I restarted X and have run the program repeatedly. I have not recived that warning again. An NMap gives the usual results and rkhunter comes back fine aside from the common Arch false-postives.
Based on some Googling it seems likely that the warning was caused by a short-lived process running then and there as it where. Has anyone experienced this? Should I be worried or is it just a false alarm?
(Note: I do not run SSH, Apache or anything of that ilk.)
Thanks,
Jon
Edit:
Another site recommended running chkrootkit ps lkm which gave me an infected result then a clean one immediately after.
jon@Set ~]$ sudo chkrootkit ps lkm
ROOTDIR is `/'
Checking `ps'... not infected
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
[jon@Set ~]$ sudo chkrootkit ps lkm
ROOTDIR is `/'
Checking `ps'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detectedLast edited by jon.wulf (2011-03-16 01:10:48)
Offline
#2 2011-03-16 01:05:54
- ngoonee
- Forum Fellow
- From: Between Thailand and Singapore
- Registered: 2009-03-17
- Posts: 7,360
Re: Chkrootkit - Possible LKM Trojan infection
Please change the title of your thread to be more descriptive of the problem. Also, it'd be easier to read if you use code tags.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
#3 2011-03-16 01:15:19
- breaksand30
- Member
- Registered: 2011-01-13
- Posts: 39
Re: Chkrootkit - Possible LKM Trojan infection
This is because you're running BlackBuntu 
I would assume that's the problem considering BlackBuntu has trojans and such on it.
Offline
#4 2011-03-16 01:20:54
- jon.wulf
- Member
- Registered: 2009-07-03
- Posts: 40
Re: Chkrootkit - Possible LKM Trojan infection
Heh, I was wary of it, hence why I kept it in a - now deleted - VM.
Offline