how to remove LKM trojan?

Portal Home > Knowledgebase > Articles Database > how to remove LKM trojan?

Posted by akasharya, 09-13-2010, 04:49 AM
I am getting following in my scan result:- [root@12ta ~]/root/chkrootkit.sh | grep -v .packlist /var/www/mrtg/tcp.log /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net INFECTED (PORTS: 465) You have 3 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed How to confirm if this warning is true or not and if true then how to remove this trojan? Please help.
Posted by madaboutlinux, 09-13-2010, 05:02 AM
It is a false alarm and is generated when a process is killed and initiated when chkrootkit is running. It is same to ignore the "INFECTED (PORTS: 465)" warning as well.
Posted by akasharya, 09-13-2010, 05:08 AM
Thanks for help I am also sure about 90% that it is a false warning but is there anyway to confirm it? One more thing about the output of result, I rerun the command and this time I only get this:- /root/chkrootkit.sh | grep -v .packlist /var/www/mrtg/tcp.log /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net INFECTED (PORTS: 465) a little different from the first one.
Posted by LnxtecH, 09-13-2010, 07:18 PM
You may check /proc manually and confirm there are no suspicious process. And you didnt get the error second time since there wasnt any process/threads created and destroyed while chkrootkit was running.