chkproc: Warning: Possible LKM Trojan installed - Ubuntu

This is a discussion on chkproc: Warning: Possible LKM Trojan installed - Ubuntu ; chkrootkit says I have a possible lkm trojan. What is this. How do I verify it and how do I get rid of it? Here is my output. oldcomputer@ubuntu:~$ sudo chkroot Password: sudo: chkroot: command not found oldcomputer@ubuntu:~$ sudo chkrootkit ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: chkproc: Warning: Possible LKM Trojan installed

  1. chkproc: Warning: Possible LKM Trojan installed

    chkrootkit says I have a possible lkm trojan. What is this. How do I
    verify it and how do I get rid of it?

    Here is my output.

    oldcomputer@ubuntu:~$ sudo chkroot
    Password:
    sudo: chkroot: command not found
    oldcomputer@ubuntu:~$ sudo chkrootkit
    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not found
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not found
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not infected
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `init'... not infected
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not found
    Checking `mingetty'... not found
    Checking `netstat'... not infected
    Checking `named'... not found
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not found
    Checking `sshd'... not found
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `tcpdump'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not found
    Checking `vdir'... not infected
    Checking `w'... not infected
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while... nothing found
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ****C Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for Showtee... nothing found
    Searching for OpticKit... nothing found
    Searching for T.R.K... nothing found
    Searching for Mithra... nothing found
    Searching for LOC rootkit... nothing found
    Searching for Romanian rootkit... nothing found
    Searching for Suckit rootkit... nothing found
    Searching for Volc rootkit... nothing found
    Searching for Gold2 rootkit... nothing found
    Searching for TC2 Worm default files and dirs... nothing found
    Searching for Anonoying rootkit default files and dirs... nothing found
    Searching for ZK rootkit default files and dirs... nothing found

    --
    Brian (not wanting to be a messiah): "You are all individuals..."
    Crowd (in unison): "We are all individuals..."
    Monty Python's "Life Of Brian"
    http://www.spampoison.com


  2. Re: chkproc: Warning: Possible LKM Trojan installed

    On Thu, 13 Sep 2007 10:50:28 -0500, noalternative wrote:

    > chkrootkit says I have a possible lkm trojan. What is this. How do I
    > verify it and how do I get rid of it?


    LKM is a Linux Kernel Module, and chkrootikit is overly paranoid, throwing
    a false positive. A quick google check shows this to be a very common
    issue with chkrootkit on 2.6.x kernels.

    Run Rootkit Hunter, which is more accurate.

    --
    Joe - Registered Linux User #449481

    "Hate is baggage, life is too short to go around pissed off all the
    time..."
    - Danny, American History X



  3. Re: chkproc: Warning: Possible LKM Trojan installed

    On Thu, 13 Sep 2007 14:28:37 -0400:

    > On Thu, 13 Sep 2007 10:50:28 -0500, noalternative wrote:
    >
    >> chkrootkit says I have a possible lkm trojan. What is this. How do I
    >> verify it and how do I get rid of it?

    >
    > LKM is a Linux Kernel Module, and chkrootikit is overly paranoid, throwing
    > a false positive. A quick google check shows this to be a very common
    > issue with chkrootkit on 2.6.x kernels.
    >
    > Run Rootkit Hunter, which is more accurate.
    >


    ----------------------

    Here is my experience of late:

    System: Ubuntu Linux; latest updates, etc.

    I have run both rkhunter and chkrootkit one after the other and then
    compare the output (which I pipe to a txt file and then print so I can
    physically compare, highlight and then shred)

    Some warnings are easy to figure out (like the LKM) but others are more
    obscure. Googling is a good idea on each and every one of the warnings.

    For example, I found a warning which I couldn't figure out and then simply
    opened, examined it, and then seeing nothing which made sense to me,
    changed the name of the file and chowned it to "neiman" (my nobody file
    and general bit bucket). Of course user neiman (German for no-one and a
    name which has interesting historical connections) is set to have no
    permissions at all. User neiman can't even fart.

    Next, using a combination of wireshark (as root) and the verbose output
    from firestarter I found that there was a port opened (2208) between
    "localhost and localhost" as if the work station was talking to itself
    via port 2008.

    I set firestarter to deny ports 2006, 2007, 2008 and 2009 (being extra
    careful in case of a roll-over.) Then I did a complete and drastic cold
    reboot (shutting everything off at the power mains, unplugging the cat 5
    cable from both the workstation card and from the router, then restarting
    the box, the router, the cable adapter, and other bits and pieces dangling
    from the workstation.

    Next, after the workstation was up and running with the log-on prompt
    screen, I signed on as user neiman and proceeded to load sequentially each
    of the application which normally run open on user dave. user dave has 12
    windows set up with each one a different function and name. Looking like
    this:

    Window #:

    1 = Thunderbird email
    2 = Firefox browser
    3 = System work area (usually no applications open)
    4 = Connection Mapping (EtherApe and xtraceroute)
    5 = e-Books (browser and PDF reader for e-Books I am reading)
    6 = Working Area #1 (Open Office word processing)
    7 = Kopete Chat
    8 = Google Earth (usually not loaded)
    9 = Music (xmms connected to www.radioparadise.com - 24/7)
    10 = Solitaire, of course
    11 = KOrganizer schedule application open
    12 = System Status (Ghod view of system, including firestarter, gkrellm,
    sysmonitor, terminal window open, ksysdisk)

    What transpired on the real-time view from EtherApe compared with
    firestarter firewall, was that localhost was transmitting "where is {ip
    address of the linux box in question}" packets to localhost in what
    appeared to be an endless loop.

    I began shutting off each active process, using a root top application in
    an sudo'd terminal. I recognizing that deliberatly killing processes one
    by one is extremely dangerous, so I chose my victims carefully befopre
    beginning the wack-a-mole process.

    At the end of the killing floor process, firestarter's display of active
    connections still listed the localhost --> localhost connection on port
    2008.

    Now ports 2007 and 2008 are well known as potential holes for trojan
    behavior. My question then at that time, did the Linux box in question
    have a trojan or not?

    I continued the wack-a-mole process and eventually crashed the system when
    I yanked lifesupport on a netstat process which appeared to be a zombie
    rather than asleep.

    I once again powered up the system and returned to user dave and the Full
    Monty of screens and applications. Neither firestarter or EtherApe
    showed any activity on pots 2008, et al.

    I used WireShark to scan the dormant and unused WIFI card ra0 (which has
    had the actual antenna removed at the card and a terminating dummy
    antenna/RF sink screwed into the antenna connector). Nothing there,
    Citizen, no move along.

    I used WireShark again using the ea0 Cat 5 network card in both
    promiscuous mode and in non-slut mode. Again, nothing to or from 2006,
    07, or 08.

    So far (after a measured 465 hours of up time) there has been no further
    indication of any activity on the suspect ports 2006, 07, 08, 09. Neither
    has there been any other suspect behavior on other ports. Meaning that
    the ports which are sending and receiving data are the ports that are
    supposed to be there and working for the various applications loaded
    which need communications.

    Any ideas, comments, or remarks are requested.

    Thanks for your insight and I appreciate your commenting on this
    situation.

    Dave

    --
    Posted via a free Usenet account from http://www.teranews.com


+ Reply to Thread