You are not logged in.

#1 2011-03-16 00:19:57

jon.wulf
Member
Registered: 2009-07-03
Posts: 40

Chkrootkit - Possible LKM Trojan infection

Sorry to be a bother but I have a quick question. I installed Blackbuntu in Virtualbox to play with and happened to notice an unusual connection to a remote server from the VM. After shutting it down I had a usual bout of paranoia, so I ran chkrootkit... it came back with a result saying I had several hidden processes and a potential LKM Trojan along with the usual

The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! jon          9854 tty3   /usr/bin/X -nolisten tcp :0 -auth /tmp/serverauth.ymiB45cvJk

result. I restarted X and have run the program repeatedly. I have not recived that warning again. An NMap gives the usual results and rkhunter comes back fine aside from the common Arch false-postives.
Based on some Googling it seems likely that the warning was caused by a short-lived process running then and there as it where. Has anyone experienced this? Should I be worried or is it just a false alarm?
(Note: I do not run SSH, Apache or anything of that ilk.)

Thanks,

Jon

Edit:

Another site recommended running chkrootkit ps lkm which gave me an infected result then a clean one immediately after.

jon@Set ~]$ sudo chkrootkit ps lkm
ROOTDIR is `/'
Checking `ps'... not infected
Checking `lkm'... You have     4 process hidden for readdir command
You have     4 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
[jon@Set ~]$ sudo chkrootkit ps lkm
ROOTDIR is `/'
Checking `ps'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected

Last edited by jon.wulf (2011-03-16 01:10:48)

Offline

#2 2011-03-16 01:05:54

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,360

Re: Chkrootkit - Possible LKM Trojan infection

Please change the title of your thread to be more descriptive of the problem. Also, it'd be easier to read if you use code tags.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#3 2011-03-16 01:15:19

breaksand30
Member
Registered: 2011-01-13
Posts: 39

Re: Chkrootkit - Possible LKM Trojan infection

This is because you're running BlackBuntu tongue I would assume that's the problem considering BlackBuntu has trojans and such on it.

Offline

#4 2011-03-16 01:20:54

jon.wulf
Member
Registered: 2009-07-03
Posts: 40

Re: Chkrootkit - Possible LKM Trojan infection

Heh, I was wary of it, hence why I kept it in a - now deleted - VM.

Offline

Board footer

Powered by FluxBB