Chkrootkit Rootkit Detection Warning

gonzalo76 · #1 13th February 2005, 08:23 AM

Hi, I receive this message after scanning my system with chkrootkit:

Quote:

Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
not infected
Checking `lkm'... You have 15 process hidden for readdir command
You have 15 process hidden for ps command
Warning: Possible LKM Trojan installed

Does anybody know if this is bad or not and how to fix it?

ilja · #2 13th February 2005, 08:36 AM

hey gonzalo, welcome back, we missed you all

Afaik all Fedora installations show this message.

#3 13th February 2005, 12:04 PM

Quote:

Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
not infected

I get the same warning on all my FC3 machines when running chkrootkit v. 0.44, even right after a clean install before connecting the machine to the network.

ezeze5000 · #4 13th March 2005, 02:51 AM

I installed rkhunter and ran it ...it found this , is it a problem?
If it is what do I do to fix it?

Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

#5 13th March 2005, 03:08 AM

I have seen both of the above errors right after I install tripwire, rkhunter and chkrootkit first thing after a fresh install. I run these apps before installing any other apps or connecting the box to any network. So, I am thinking these errors are normal for FC3.

death_row_1984 · #6 7th April 2005, 02:38 PM

At first i want to apologize for my english, and i'm a totall noob, so i can mistyped/misspelled anything, dont blame/flame me for it

It can be or can't be a problem, depends on how you look at it....

Situations:

No SSH: Yes it is a problem

LAN SSH: Not really a problem

WAN SSH: In my opninion now it is a problem

The root login by ssh can be used in several ways...
For example i use sme-server as a gateway/decoy server...
I use ssh to remote login to this server, i created a user called JohnDoe which has ssh acces to the server...
I disabled the remote root log-in. When i do want to work as root i login as johndoe, then i use su - to change to root...
In my opinion this is saver then the remote root log-in.
But when you use linux as company server with multiple systemmanagers its eassier to permit root acces, then passing the password to everyone...

So mostly it depends on the usage of linux, and the way you want to use ssh...

To disable the remote root login:
you should be root, so use the su - command
#nano /etc/ssh/sshd_config (or gedit whatever your fav is...)

Read down untill you find these lines:
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

At the permitrootlogin, yours probaly stated yes, and you should change it to no obviously

w5set · #7 7th April 2005, 06:01 PM

chkrootkit doesn't show and never has shown15 hidden processes that ps won't show, on my computers. If you are running a newer video card and sound card then this could be a possibility, but 15 still seems a little high.
Try running rkhunter and see if it gives the same LKM trojan possibility--chkrootkit gives me heartburn not reading FC SELinux as well as rkhunter--i.e. more "false positives"

#8 7th April 2005, 08:55 PM

I agree. I run chkrootkit and I always get the " Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
not infected" warning and was told that is normal for an FC3 system, but I have never recieved an LKM warning and 15 does seem high. I advise you to run rkhunter along with chkrootkit because rkhunter and chkrootkit can detect different things and augment each other.

nordicart · #9 7th April 2005, 09:17 PM

Hi,
I have the same problem, and I found information about it. It is located at:
http://www.linuxquestions.org/questi...04/10/3/242318

VStrider · #10 17th April 2005, 04:49 PM

chkrootkit "checking" lines were usually nothing found, not infected, nothing deleted.
Except for this line:

Code:

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)

did it find something? what does it mean?

and i don't understand this:

Code:

Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         4085 tty1   /sbin/mingetty tty1
! root         4090 tty4   /sbin/mingetty tty4
! root         4093 tty5   /sbin/mingetty tty5
! root         4096 tty6   /sbin/mingetty tty6

are these hidden processes? how do i check them out?

rkhunter found these hidden files and issued a warning. are these files normal?

Code:

[16:22:16] Hidden file/dir /dev/.udev.tdb [TDB database version 6, little-endian hash size 131 bytes] seems to be OK
[16:22:16] Hidden file/dir /etc/.pwd.lock [empty] seems to be OK
[16:22:16] Added /etc/.java (directory) to list of unknown hidden files/dirs
[16:22:16] WARNING, found:  /etc/.java (directory)

i do have java installed. i checked /etc/.java, its a hidden dir which contains two hidden files:
.system.lock and .systemRootModFile (i didn't like the name of it). however both files are empty. anything to worry about?

Welly Wu · #11 28th March 2006, 06:42 AM

I got similiar results running both chkrootkit 0.46a and rkhunter 1.2.8 on my CentOS 4.3. Any tips?

paul matthijsse · #12 28th March 2006, 08:06 AM

"Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)"
that means that chkrootkit found your ethernet connection, nothing to worry about.

Cheers, Paul.