Find the answer to your Linux question:
Results 1 to 4 of 4
I am running CentOS 5.3 and here is the result of "chkrootkit": Code: Possible t0rn v8 \(or variation\) rootkit installed Warning: Possible Showtee Rootkit installed /usr/include/file.h /usr/include/proc.h Warning: `//root/.mysql_history' file ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2012
    Posts
    1

    Question Hacked CentOS 5 server - possible rootkit installed?


    I am running CentOS 5.3 and here is the result of "chkrootkit":

    Code:
    Possible t0rn v8 \(or variation\) rootkit installed
    
    Warning: Possible Showtee Rootkit installed
     /usr/include/file.h /usr/include/proc.h
    Warning: `//root/.mysql_history' file size is zero
    INFECTED (PORTS:  465)
    You have    61 process hidden for readdir command
    You have    62 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
     The tty of the following user process(es) were not found
     in /var/run/utmp !
    ! RUID          PID TTY    CMD
    ! root         3040 tty2   /sbin/mingetty tty2
    ! root         3041 tty3   /sbin/mingetty tty3
    ! root         3042 tty4   /sbin/mingetty tty4
    ! root         3043 tty5   /sbin/mingetty tty5
    ! root         3046 tty6   /sbin/mingetty tty6
    I don't understand what the warnings mean.

    Is the server infected or in danger?

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,929
    It certainly looks like it. If it were my server I'd take absolutely no risks. I'd offline the server, wipe it, reinstall and restore my data from backups. I also wouldn't connect the new server to the internet until I'd taken basic security measures to prevent this happening again.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    917
    Google says these may be false alarms. Check with another root kit detector if you don't trust those findings.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by dand View Post
    I am running CentOS 5.3
    Then you're behind the times. CentOS is at 5.8 now. If you didn't know that then I wonder if there's more software on the machine that hasn't been updated or which other security best practices you didn't know about.


    Quote Originally Posted by dand View Post
    Code:
    /usr/include/file.h /usr/include/proc.h
    Have you actually checked if the /usr/include/file.h and /usr/include/proc.h files exist and what their contents are?


    Quote Originally Posted by dand View Post
    Code:
    Warning: `//root/.mysql_history' file size is zero
    Is that file supposed to be empty?


    Quote Originally Posted by dand View Post
    Code:
    INFECTED (PORTS:  465)
    Have you checked what process is using that port?
    Code:
    lsof -Pwln -i :465
    #or 
    fuser -vn tcp 465
    #or even worse
    netstat -antulpe|grep 465

    Quote Originally Posted by dand View Post
    Code:
    You have    61 process hidden for readdir command
    You have    62 process hidden for ps command
    chkproc: Warning: Possible LKM Trojan installed
    Are you running a shared host or virtualization guest?


    Quote Originally Posted by dand View Post
    Code:
     The tty of the following user process(es) were not found
     in /var/run/utmp !
    This may be a false positive. See the Chkrootkit FAQ.

    Have you had any other or has this machine been cracked before? Is there anything else "odd" about this servers behavior? Is there anything else you should have mentioned?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •