Page 1 of 1

chkproc: Warning: Possible LKM Trojan installed

Posted: 26 Mar 2019, 16:27
by LukeDouglas
I have received a few emails over the past few weeks similar to the following content. Can someone tell me if this is a serious issue and what I can do to fix it.

Code: Select all

find: `/proc/5049': No such file or directory
find: `/proc/5799': No such file or directory
find: `/proc/5801': No such file or directory

/usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.depdblock /usr/lib/php/.depdb /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.filemap /usr/lib/php/.lock
/usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
INFECTED (PORTS:  465)
You have     1 process hidden for readdir command
You have     1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Re: chkproc: Warning: Possible LKM Trojan installed

Posted: 26 Mar 2019, 21:18
by sawbuck
Those look to be false positives from the chkrootkit script.

Re: chkproc: Warning: Possible LKM Trojan installed

Posted: 26 Mar 2019, 22:00
by LukeDouglas
Thanks!

How would I know that these are a 'false positive'?

Re: chkproc: Warning: Possible LKM Trojan installed

Posted: 26 Mar 2019, 23:17
by sawbuck
Check the FAQ for some additional info: http://chkrootkit.org/faq/

Both rkhunter and chkrootkit are prone to false positives.

Running either or both on a known good system would you give you a baseline.

False positive files and directories can be ignored but not generally considered good practice.