Robert Lindgren wrote:
Hi all,
I got this warining from tigercron:
NEW: --WARN-- [rootkit004w] Chkrootkit has detected a possible rootkit
installation
NEW: Warning: Possible LKM Trojan installed
But I'm not able to find any more info about what chkrootkit thinks is a
rootkit anywhere, nothing in /var/log/tiger, and running manually chkrootkit
doesn't find the trojan either.
So what to do?
This is probably a spurious error that only happens when the
'check_rootkit' script is run. The relevant 'chkrootkit' code is:
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 | $awk -F . '{ print
$1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 2; else print 1 }'`
(...)
if ./chkproc -p ${PV}
then
if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing
detected"; fi
else
echo "chkproc: Warning: Possible LKM Trojan installed"
fi
If you run that manually (chkproc is probably under
/usr/lib/chkrootkit) and don't get any result (check out $? or run
with '-v') then it's a false positive. You can filter these out
through tiger.ignore (or just disable the check_rootkit module or run
it less frequently, your call).
Googling for "Possible LKM Trojan installed false positive chkrootkit"
it looks like this is quite common if using a 2.6 kernel or if you
have some shortlive process (i.e. they are there when chkproc starts
but are not any longer when it compares the process listing)
Regards
Javier
_______________________________________________
Tiger-user mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/tiger-user
