Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

chkproc: Warning: Possible LKM Trojan installed

Posted on 2011-02-11
6
Medium Priority
?
885 Views
Last Modified: 2012-05-11
I got the below email warning from my server and not sure how to proceed with it.
I've gotten it a few time and the last couple of times I've just ignored it.


/var/www/mrtg/tcp.log

/usr/lib/php/.registry /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.channels /usr/lib/php/.channels/.alias
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Open in new window

0
Comment
Question by:sobeservices2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 1500 total points
ID: 34877983
Do you get this mail from the very first time you ever ran the program that sends this mail ? (some type of rootkit checker I suppose)

If you run the rootkit detector for a long time and at some point in time you start getting this mail, it is a strong indicator you have a rootkit installed on your system. If that is the case the only sensible course of action is to do a full reinstall of the system.

If on the other hand the report has come out of the checker since the first time you ran it this is probably a false positive. Still necessary to inspect further to find out what exactly is hidden in what manner, but no cause for alarm.
0
 

Author Comment

by:sobeservices2
ID: 34881497
"If on the other hand the report has come out of the checker since the first time you ran it this is probably a false positive. Still necessary to inspect further to find out what exactly is hidden in what manner, but no cause for alarm."

I understand but I keep getting it. how can I inspect further.

0
 
LVL 6

Accepted Solution

by:
de2Zotjes earned 1500 total points
ID: 34883312
check in the mail you receive what executable is sending the mail. Start a shell and run the command from there. Try with extra verbosity or debug setting. Read the man page for the executable, perhaps it has a settings file where you can tune the sensitivity.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:sobeservices2
ID: 34899330
What do you mean check the shell and run command from there what commands?
0
 

Author Closing Comment

by:sobeservices2
ID: 34899337
Good job
0
 

Author Comment

by:sobeservices2
ID: 34899341
Took me in the right directions
0

Featured Post

Application Discovery Service in AWS

In the era of the cloud, customers migrating away from their existing on-premise infrastructure. This requires lots of planning, strategies, and effort to identify their existing resources and determine how best to migrate.  Datacenter migrations happen in four phases -

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question