chkproc: Warning: Possible LKM Trojan installed

4 posts Page 1 of 1
LukeDouglas
Junior Member
Posts: 24
Joined: 22 Apr 2016, 17:35


I have received a few emails over the past few weeks similar to the following content. Can someone tell me if this is a serious issue and what I can do to fix it.
Code: Select all
find: `/proc/5049': No such file or directory
find: `/proc/5799': No such file or directory
find: `/proc/5801': No such file or directory

/usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.depdblock /usr/lib/php/.depdb /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.filemap /usr/lib/php/.lock
/usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
INFECTED (PORTS:  465)
You have     1 process hidden for readdir command
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20


Those look to be false positives from the chkrootkit script.
Last edited by sawbuck on 26 Mar 2019, 23:12, edited 2 times in total.
LukeDouglas
Junior Member
Posts: 24
Joined: 22 Apr 2016, 17:35


Thanks!

How would I know that these are a 'false positive'?
sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20


Check the FAQ for some additional info: http://chkrootkit.org/faq/

Both rkhunter and chkrootkit are prone to false positives.

Running either or both on a known good system would you give you a baseline.

False positive files and directories can be ignored but not generally considered good practice.
4 posts Page 1 of 1