Solved

chkproc: Warning: Possible LKM Trojan installed

Posted on 2011-02-11
6
846 Views
Last Modified: 2012-05-11
I got the below email warning from my server and not sure how to proceed with it.
I've gotten it a few time and the last couple of times I've just ignored it.


/var/www/mrtg/tcp.log

/usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Open in new window

0
Comment
Question by:sobeservices2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 500 total points
ID: 34877983
Do you get this mail from the very first time you ever ran the program that sends this mail ? (some type of rootkit checker I suppose)

If you run the rootkit detector for a long time and at some point in time you start getting this mail, it is a strong indicator you have a rootkit installed on your system. If that is the case the only sensible course of action is to do a full reinstall of the system.

If on the other hand the report has come out of the checker since the first time you ran it this is probably a false positive. Still necessary to inspect further to find out what exactly is hidden in what manner, but no cause for alarm.
0
 

Author Comment

by:sobeservices2
ID: 34881497
"If on the other hand the report has come out of the checker since the first time you ran it this is probably a false positive. Still necessary to inspect further to find out what exactly is hidden in what manner, but no cause for alarm."

I understand but I keep getting it. how can I inspect further.

0
 
LVL 6

Accepted Solution

by:
de2Zotjes earned 500 total points
ID: 34883312
check in the mail you receive what executable is sending the mail. Start a shell and run the command from there. Try with extra verbosity or debug setting. Read the man page for the executable, perhaps it has a settings file where you can tune the sensitivity.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:sobeservices2
ID: 34899330
What do you mean check the shell and run command from there what commands?
0
 

Author Closing Comment

by:sobeservices2
ID: 34899337
Good job
0
 

Author Comment

by:sobeservices2
ID: 34899341
Took me in the right directions
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question