Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] whitelist / remove false positives on chkrootkit
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Sun Dec 15, 2019 10:43 pm    Post subject: [solved] whitelist / remove false positives on chkrootkit Reply with quote

I activated cronjob for rkhunter after configuring it to the point, it did not produce any false positives anymore. Now I am wondering howto do the same for chkrootkit, as it shows two apparently false positives:

Code:
Checking `bindshell'... INFECTED PORTS: ( 465)


Code:
Checking `lkm'... find: ‘/proc/16477’: Datei oder Verzeichnis nicht gefunden
find: ‘/proc/16481’: Datei oder Verzeichnis nicht gefunden
find: ‘/proc/16482’: Datei oder Verzeichnis nicht gefunden
You have     2 process hidden for readdir command
You have     2 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed


Trying to run once again with LC_ALL=C to get non-german output on the second run there was no LKM Trojan false postive anymore. "Datei oder Verzeichnis nicht gefunden" means "file or folder not found"

I would only like to activate a cronjob after getting rid of false postives so they will not generate a mail every time the cronjob is executed.


Last edited by Elleni on Fri Dec 27, 2019 9:29 pm; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6474

PostPosted: Sun Dec 15, 2019 11:12 pm    Post subject: Reply with quote

chkrootkit is a shell script; you can easily comment out checks you don't want to see.
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1073

PostPosted: Sun Dec 15, 2019 11:44 pm    Post subject: Reply with quote

Hi Ant P. Thanks for the pointer, I removed port 465 from bindshell search and got rid of that false positive. Now on last run lkm chkproc says nothing detected again, which I do not understand, as it was found on the first run. And so I don't know, if there is anything to do when it will come up again.

Then I also have this
Code:
Searching for suspicious files and dirs, it may take a while...
/lib/rc/tmp/.keep_sys-apps_openrc-0


How would I eliminate those ?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum