Rootkit? - Chkrootkit Result

[Greg988]

I get this when I run chkrootkit:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2167 tty1 /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-1tUOpM/database -nolisten tcp vt1
chkutmp: nothing deleted
Press ENTER to exit


Any ideas what's going on here?

[Rubberman]

I get this when I run chkrootkit:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2167 tty1 /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-1tUOpM/database -nolisten tcp vt1
chkutmp: nothing deleted
Press ENTER to exit


Any ideas what's going on here?

Looking at the man page for utmp, it says

The utmp file allows one to discover information about who is currently using
the system. There may be more users currently using the system, because not
all programs use utmp logging.

Warning: utmp must not be writable, because many system programs (foolishly)
depend on its integrity. You risk faked system logfiles and modifications of
system files if you leave utmp writable to any user.

What that tells me, is that utmp should have a list (in binary format) of all running user processes, and that chkrootkit compares all the user processes running in the system with what is registered in /var/run/utmp, reporting the fact that one process being run by root is not registered. That doesn't mean that it is a rootkit or data logger, though it might be. That's what you need to determine, whether or not it is benign, as malware would likely be written so as to avoid being registered, making it harder to find and eradicate.

Ok. I just installed and ran chkrootkit v0.47-1 on my CentOS 5.3 system, and the following is the output from that:

[root@cos1 etc]# chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/parallels/.parallels_common_options /usr/lib/parallels/.not_configured /usr/lib/firefox-3.0.9/.autoreg /lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... Warning: `' is linked to another file
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 4759 tty5 /sbin/mingetty tty5
! root 5171 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
chkutmp: nothing deleted

So, you can see that I have an entry at the end like yours - which is xorg (the X-Windows server) listening for remote desktop connection requests, which is OK because I set it up for that. I see some hidden library files that I need to check out, however.

[Greg988]

Looking at the man page for utmp, it says
What that tells me, is that utmp should have a list (in binary format) of all running user processes, and that chkrootkit compares all the user processes running in the system with what is registered in /var/run/utmp, reporting the fact that one process being run by root is not registered. That doesn't mean that it is a rootkit or data logger, though it might be. That's what you need to determine, whether or not it is benign, as malware would likely be written so as to avoid being registered, making it harder to find and eradicate.

Ok. I just installed and ran chkrootkit v0.47-1 on my CentOS 5.3 system, and the following is the output from that:
So, you can see that I have an entry at the end like yours - which is xorg (the X-Windows server) listening for remote desktop connection requests, which is OK because I set it up for that. I see some hidden library files that I need to check out, however.

What would be the best way to disable this? (the X-window server listening for remote desktop connections).

I freshly installed my OS (Fedora 10) as it screwed up after playing with GRSECURITY. (Shortly after making my first post)

When I run chkrootkit again, the same process comes up, except with a different processID:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2119 tty1 /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-8c3IzH/database -nolisten tcp vt1
chkutmp: nothing deleted

Everything else on chkrootkit comes up normal, just like before.........

[Rubberman]

What would be the best way to disable this? (the X-window server listening for remote desktop connections).

I freshly installed my OS (Fedora 10) as it screwed up after playing with GRSECURITY. (Shortly after making my first post)

When I run chkrootkit again, the same process comes up, except with a different processID:

Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2119 tty1 /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-8c3IzH/database -nolisten tcp vt1
chkutmp: nothing deleted

Everything else on chkrootkit comes up normal, just like before.........

Well, you don't have any viruses or root kits. Be happy.
Now, run (as root) the command gdmsetup. That brings up the gdm configuration tool. Note that gdm is your display manager, and cannot be shut down, or you won't have any x-windows (AFAIK). However, in the gdmsetup window, you have a tab "Remote". Click on that. It should be set to "Remote login disabled". If it does, then you are ok. If not, set it to that. and press the "Close" button.

[Greg988]

Bummers. Gdmsetup does not exist in Fedora10.

I think they took it out after release 8.

Any other work-arounds?


Thanks!

[Rubberman]

Bummers. Gdmsetup does not exist in Fedora10.

I think they took it out after release 8.

Any other work-arounds?


Thanks!

Well, /etc/gdm contains the scripts and configuration files for gdm, though I haven't munged with them myself. You might find what you need in there.

[Greg988]

Well, /etc/gdm contains the scripts and configuration files for gdm, though I haven't munged with them myself. You might find what you need in there.

Ok. I'll look into this more. Is there a default port this service listens on? I should block this port for the time being??

[Rubberman]

Ok. I'll look into this more. Is there a default port this service listens on? I should block this port for the time being??

Check in /etc/services.