Archive for the tag 'chkrootkit'

SBDavid
Sep 22nd, 2011

Chkrootkit outputs hidden processes and LKM warning

Chkrootkit outputs hidden processes and LKM warnings.

The LKM appear whenever “hidden” processes are found. They’re usually processes that have started between the different checks that chkrootkit runs while processing. Usually, they’re named mysql httpd or exim processes. You can get more information about which processes are being caught using:

cd /root/chkrootkit-0.*
./chkrootkit -x lkm

When you run it you will probably find that it returns anything from none to several process

SBDavid
Jan 18th, 2010

Can chkrootkit detect modified rootkit versions

Can chkrootkit detect modified (or new) rootkit versions?

If chkrootkit can’t find a known signature inside a file, it can’t automatically determine if it has been trojaned. Try to run chkrootkit in expert mode (-x option) — in this mode the user can examine suspicious strings in the binary programs that may indicate a trojan.

For example, lots of data can be seen with:

# ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep ‘^/’