chkrootkit [Help]

skip · Post by **skip** » 14 Dec 2008, 03:00

Checking `lkm'... You have 1 process hidden
Warning: Possible LKM Trojan installed

And some php and autoreg ive seen on my system I forgot the other ones..

It changed the files to read only and i cant even get in. Says error or something during boot up and I even tried to save the chkrootkit log so I can post it here but cant do. Some protocol died message popped up. Anyways I need some help, How do i remove it? Or how do i trace where it came from? Could i fix this using a liveCD?

im using kubuntu btw.

rhysh · Post by **rhysh** » 14 Dec 2008, 04:11

get root and rm its files

rm is remove command

Post by **bad_brain** » 14 Dec 2008, 04:45

don't worry about the "rootkit", chkrootkit is known for false positives, I even got "lkm rootkit" warnings on fresh installed systems, better use rkhunter.
we need the error message you get during boot, then we can see what the problem is...

ebrizzlez · Post by **ebrizzlez** » 14 Dec 2008, 21:01

bad_brain wrote: I even got "lkm rootkit" warnings on fresh installed systems

Are you sure those are false positives or you've been rooted by me...

Post by **bad_brain** » 15 Dec 2008, 05:04

well, you must be really über-1337 to be able to load a rootkit into a box where the NIC wasn't even configured....or have you sneaked inside my house?

rhysh · Post by **rhysh** » 15 Dec 2008, 07:04

lol maybe the feds have found you bb and are distributing u tampered distro's so they can keylog u n all

skip · Post by **skip** » 20 Dec 2008, 00:06

Something like

/dev/sda1:inodes that were part of a corrupted orphan link list found
unexpected inconsistency; run fsck manually

*An automatic file system check of the root filesystem
*Te root file system is currently being mounter in read-only mode.
bash: no job control in this shell

On chkrootkit

Found soome on sniffer, ssh scanners, and some else

wted 10 deletions between Sun Dec 14 15:35:42 .......

----

After i run fsck. it kinda fix some of it i think. And teh error i got from startx

mktemp: cannot creat temp file /temp/saveauth.FcbHB14485: Read-only file system

/usr/bin/startx: line 158: cannot create temp file for here document: Read-omly file system

Xauth: error in locking authority file /home/skip/.Xauthority
/usr/bin/startx: line 170 cannot create temp file for here document: Read-only file system

fatal server error.
Could not create lock file in /tmp/.tX0-lock

giving up.
xinit: connection refused (errno111) unable to connect to xserver
xinit:no such process (errno3) Server
Xauth: error in locking authority file /home/skip/.Xauthority

I tried opening the .Xauthority but its just a bunch of characters that doesnt even make sense to me. I think the rootkit change it to read-only file system. How do i change permission and get rid of those rootkits and errors?

Post by **bad_brain** » 20 Dec 2008, 05:24

well, the problem is most likely caused by earlier errors during the boot process, therefore the file system is mounted read-only....and so temporary files can't be written.
to be able to start normally check the fstab entries, the file is /etc/fstab
look for:

Code: Select all

errors=remount-ro

and change it to:

Code: Select all

errors=continue

this should make a normal boot possible, but then you will have to search for the errors that caused this problem, best have a look at syslog...

skip · Post by **skip** » 20 Dec 2008, 22:00

ahh.. thanks, all fixed. and this is what i got from rkhunter,

/usr/sbin/unhide [ Warning ]
/usr/sbin/unhide-linux26 [ Warning ]

Suckit Rookit additional checks [ OK ]

Performing trojan specific checks
Checking for enabled inetd services [ OK ]

Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

File properties checks...
Files checked: 127
Suspect files: 2

Rootkit checks...
Rootkits checked : 110
Possible rootkits: 0

Applications checks...
Applications checked: 4
Suspect applications: 0

Am i safe? not really?

---

i update and upgrade it and then run the rkhunter again.

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/login [ Warning ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ Warning ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/which [ OK ]
/bin/dash [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ Warning ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ Warning ]
/usr/bin/passwd [ Warning ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/lwp-request [ OK ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ Warning ]
/usr/sbin/groupdel [ Warning ]
/usr/sbin/groupmod [ Warning ]
/usr/sbin/grpck [ Warning ]
/usr/sbin/nologin [ Warning ]
/usr/sbin/pwck [ Warning ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/unhide [ Warning ]
/usr/sbin/useradd [ Warning ]
/usr/sbin/userdel [ Warning ]
/usr/sbin/usermod [ Warning ]
/usr/sbin/vipw [ Warning ]
/usr/sbin/unhide-linux26 [ Warning ]

[Press <ENTER> to continue]

Checking for rootkits...

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]

Performing trojan specific checks
Checking for enabled inetd services [ OK ]

Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]

Performing group and account checks
Checking for passwd file [ Found ]

Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Checking application versions...

Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of OpenSSH [ OK ]

System checks summary
=====================

File properties checks...
Files checked: 127
Suspect files: 17

Rootkit checks...
Rootkits checked : 110
Possible rootkits: 0

Applications checks...
Applications checked: 4
Suspect applications: 0

whats the warning all about?

Post by **bad_brain** » 21 Dec 2008, 06:29

hm, have you updated the file hashes from rkhunter already? maybe the hashes are too old and this produces the warnings:

Code: Select all

rkhunter --update

skip · Post by **skip** » 22 Dec 2008, 01:40

I got the same warnings and the only update on rkhunter was i18n/cn .

This is what i found on rkhunter log

[15:18:59] Checking for SSH configuration file [ Found ]
[15:18:59] Info: Found SSH configuration file: /etc/ssh/sshd_config
[15:18:59] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[15:18:59] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[15:18:59] Checking if SSH root access is allowed [ Warning ]
[15:18:59] Warning: The SSH and rkhunter configuration options should be the same:
[15:18:59] SSH configuration option 'PermitRootLogin': yes
[15:18:59] Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

Whats next? Am i safe or not?[/b]

Post by **bad_brain** » 22 Dec 2008, 05:38

well it's only complaining about the config option in rkhunter that is different from the SSH config, so I would say: yes...

skip · Post by **skip** » 22 Dec 2008, 06:50

Alright, but i still received those warnings. Is there a possible way to not received those warnings again?

Post by **bad_brain** » 22 Dec 2008, 10:00

well, as it says in the message:

Code: Select all

 Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

change it to "yes" and the warning should not appear again.

about the other warnings: don't take it too serious, on Debian I get loads of them, simply because the programs are customized for the distribution, and so the hashes don't match the official ones anymore.
better analyze your system by the logs (syslog, kernel.log, daemon.log, auth.log for example), it's way more reliable.....

skip · Post by **skip** » 22 Dec 2008, 12:46

Thanks for the tip, maybe it'll take me sometime to read all those logs. I've seen some of it, saw it but didnt really read at all. I'l just ask again if i get some warnings, errors or something like that.