Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

chkproc: Warning: Possible LKM Trojan installed

Posted on 2011-02-11
6
838 Views
Last Modified: 2012-05-11
I got the below email warning from my server and not sure how to proceed with it.
I've gotten it a few time and the last couple of times I've just ignored it.


/var/www/mrtg/tcp.log

/usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Open in new window

0
Comment
Question by:sobeservices2
  • 4
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 500 total points
ID: 34877983
Do you get this mail from the very first time you ever ran the program that sends this mail ? (some type of rootkit checker I suppose)

If you run the rootkit detector for a long time and at some point in time you start getting this mail, it is a strong indicator you have a rootkit installed on your system. If that is the case the only sensible course of action is to do a full reinstall of the system.

If on the other hand the report has come out of the checker since the first time you ran it this is probably a false positive. Still necessary to inspect further to find out what exactly is hidden in what manner, but no cause for alarm.
0
 

Author Comment

by:sobeservices2
ID: 34881497
"If on the other hand the report has come out of the checker since the first time you ran it this is probably a false positive. Still necessary to inspect further to find out what exactly is hidden in what manner, but no cause for alarm."

I understand but I keep getting it. how can I inspect further.

0
 
LVL 6

Accepted Solution

by:
de2Zotjes earned 500 total points
ID: 34883312
check in the mail you receive what executable is sending the mail. Start a shell and run the command from there. Try with extra verbosity or debug setting. Read the man page for the executable, perhaps it has a settings file where you can tune the sensitivity.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:sobeservices2
ID: 34899330
What do you mean check the shell and run command from there what commands?
0
 

Author Closing Comment

by:sobeservices2
ID: 34899337
Good job
0
 

Author Comment

by:sobeservices2
ID: 34899341
Took me in the right directions
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question