Have I got a trojan?

Q I'm running a Debian unstable-based distribution, with chkrootkit for security reasons. It recently gave me a message that reads: "lkm you have 2 process hidden for readdir you have 2 process hidden for ps command warning possible LKM trojan installed". Does anyone know a well-reputed trojan remover for Linux? Does anyone else get messages like this? How would I remove them?

A It's not unusual for chkrootkit to throw up some false positives if it isn't compiled against the specific kernel build being used. With some recent kernels, there are kernel-space processes that throw up false positives and chkrootkit will identify them as being possible trojans. A great way to test the system for malicious processes is with the kstat utility, which can give a list of processes that the kernel knows about as opposed to those picked up by ps. These two lists can then be compared and any malicious processes identified. There are quite a few Linux trojans that install modules and startup processes to perform a variety of malicious activities. However, they generally throw up other red flags in chkrootkit, such as changed system binaries. If you have any concerns that a system is compromised, booting from Knoppix or another rescue disk, or simply using the busybox binary to execute ps and ensure that it isn't compromised, will reassure you that your system is safe.

Follow us on Identi.ca or Twitter

Username:   Password: