I ran chkrootkit on my ZorinOS with a 500GB SSD. What do you think of the results?

chkrootkit results:

Summary

sudo chkrootkit
ROOTDIR is /' Checking amd'... not found
Checking basename'... not infected Checking biff'... not found
Checking chfn'... not infected Checking chsh'... not infected
Checking cron'... not infected Checking crontab'... not infected
Checking date'... not infected Checking du'... not infected
Checking dirname'... not infected Checking echo'... not infected
Checking egrep'... not infected Checking env'... not infected
Checking find'... not infected Checking fingerd'... not found
Checking gpm'... not found Checking grep'... not infected
Checking hdparm'... not infected Checking su'... not infected
Checking ifconfig'... not infected Checking inetd'... not infected
Checking inetdconf'... not found Checking identd'... not found
Checking init'... not infected Checking killall'... not infected
Checking ldsopreload'... not infected Checking login'... not infected
Checking ls'... not infected Checking lsof'... not infected
Checking mail'... not found Checking mingetty'... not found
Checking netstat'... not infected Checking named'... not found
Checking passwd'... not infected Checking pidof'... not infected
Checking pop2'... not found Checking pop3'... not found
Checking ps'... not infected Checking pstree'... not infected
Checking rpcinfo'... not found Checking rlogind'... not found
Checking rshd'... not found Checking slogin'... not infected
Checking sendmail'... not found Checking sshd'... not found
Checking syslogd'... not tested Checking tar'... not infected
Checking tcpd'... not found Checking tcpdump'... not infected
Checking top'... not infected Checking telnetd'... not found
Checking timed'... not found Checking traceroute'... not found
Checking vdir'... not infected Checking w'... not infected
Checking write'... not infected Checking aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/modules/5.15.0-113-generic/vdso/.build-id /usr/lib/modules/5.15.0-117-generic/vdso/.build-id /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo /usr/lib/.build-id /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/libreoffice/share/.registry
/usr/lib/modules/5.15.0-113-generic/vdso/.build-id /usr/lib/modules/5.15.0-117-generic/vdso/.build-id /usr/lib/.build-id /usr/lib/libreoffice/share/.registry
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for Sh(censored letter i)tC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for Mumblehard Linux ... nothing found
Searching for Backdoor.Linux.Mokes.a ... nothing found
Searching for Malicious TinyDNS ... nothing found
Searching for Linux.Xor.DDoS ... nothing found
Searching for Linux.Proxy.1.0 ... nothing found
Searching for CrossRAT ... nothing found
Searching for Hidden Cobra ... nothing found
Searching for Rocke Miner ... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking asp'... not infected Checking bindshell'... not infected
Checking lkm'... You have 6 process hidden for readdir command You have 6 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed chkdirs: nothing detected Checking rexedcs'... not found
Checking sniffer'... lo: not promisc and no packet sniffer sockets wlp2s0: PACKET SNIFFER(/usr/sbin/NetworkManager[1738], /usr/sbin/wpa_supplicant[1749], /usr/sbin/wpa_supplicant[1749]) lxcbr0: not promisc and no packet sniffer sockets Checking w55808'... not infected
Checking wted'... chkwtmp: nothing deleted Checking scalper'... not infected
Checking slapper'... not infected Checking z2'... user testaccount deleted or never logged from lastlog!
user username123 deleted or never logged from lastlog!
Checking chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! usernam+ 2726 tty2 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -novtswitch -verbose 3 ! usernam+ 2724 tty2 /usr/libexec/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=zorin /usr/bin/gnome-session --session=zorin ! usernam+ 2736 tty2 /usr/libexec/gnome-session-binary --systemd --session=zorin ! usernam+ 1172831 pts/0 bash ! root 1197948 pts/1 /bin/sh /usr/sbin/chkrootkit ! root 1200713 pts/1 ./chkutmp ! root 1200717 pts/1 ps axk tty,ruser,args -o tty,pid,ruser,args ! root 1200716 pts/1 sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args" ! root 1197945 pts/1 sudo chkrootkit ! usernam+ 1180155 pts/1 bash chkutmp: nothing deleted Checking OSX_RSPLUG'... not tested


And here is Google Gemini A.I.'s opinion of the results:

Summary

The output of sudo chkrootkit shows a few potential issues:

  • Possible LKM Trojan: The warning "chkproc: Warning: Possible LKM Trojan installed" suggests that there might be a Loadable Kernel Module (LKM) rootkit on your system. LKM rootkits are particularly stealthy and difficult to detect.
  • Hidden Processes: The messages "You have 6 process hidden for readdir command" and "You have 6 process hidden for ps command" indicate that some processes are trying to hide themselves from the system's process listing tools. This is another potential sign of a rootkit or other malicious software.
  • Missing TTYs: The message "The tty of the following user process(es) were not found in /var/run/utmp !" lists several processes whose terminal devices (TTYs) are not properly registered. While this could be a benign issue, it's worth investigating further.
  • Deleted or Never Logged Users: The message "user testaccount deleted or never logged from lastlog!" and "user username123 deleted or never logged from lastlog!" indicates that these user accounts exist but have either been deleted or have never logged in. This might be normal, but it's worth checking if you're unsure about these accounts.
  • Packet Sniffer: The message "wlp2s0: PACKET SNIFFER..." indicates that NetworkManager and wpa_supplicant are using packet sniffing on your wireless interface. This is usually normal behavior for network management and Wi-Fi connectivity, but it's something to be aware of.

Recommendations:

  1. Investigate Further: The "Possible LKM Trojan" and hidden processes are the most concerning findings. You should investigate these further to determine if they are legitimate or malicious. Consider using additional security tools or seeking help from a security professional.
  2. Review User Accounts: Check the "testaccount" and "username123" accounts to ensure they are legitimate and not remnants of a compromise. If you're unsure, consider deleting them or changing their passwords.
  3. Monitor Network Activity: Be mindful of the packet sniffing on your wireless interface. If you notice any unusual network activity, investigate it further.
  4. Stay Updated: Keep your system and software up-to-date to protect against known vulnerabilities that rootkits and other malware might exploit.
  5. Consider a Reinstall: If you're highly concerned about the potential compromise, consider backing up your data and reinstalling your operating system. This is the most thorough way to ensure your system is clean.

Important: Chkrootkit did not automatically delete anything. It only reported its findings. You'll need to take further action if you want to remove any potential threats.

Here is what Google gemini 1.5 pro analysis had to say:

Summary

Let's break down the chkrootkit results and see what's what.
The Good News
• Mostly "Not Infected": The majority of your output shows "not infected" or "not found" for specific checks. This is a positive sign, suggesting that many common rootkit components haven't been detected.
• No Known Rootkits: chkrootkit actively searches for signatures and behaviors of known rootkits. You didn't get any hits for these, which is a good indication.
Points to Investigate (and Likely Benign)
• Suspicious Files/Directories: Let's address these one by one:
◦ /usr/lib/modules/...vdso/.build-id: These are related to your kernel (the core of your operating system) and are almost certainly safe. The ".build-id" helps with debugging.
◦ /usr/lib/jvm/...jinfo: Java Virtual Machine-related. If you use Java programs, these are expected.
◦ /usr/lib/.build-id: Another debugging aid, likely harmless.
◦ /usr/lib/python3/.../.noinit: Part of the Python programming language environment, likely fine.
◦ /usr/lib/libreoffice/share/.registry: LibreOffice configuration, not a security concern.
• Packet Sniffers: The tool flagged NetworkManager and wpa_supplicant as potential packet sniffers. This is normal. NetworkManager manages your network connections, and wpa_supplicant handles Wi-Fi security. They need to inspect network traffic to do their jobs correctly.
• Hidden Processes: The "6 processes hidden for readdir/ps" message from 'lkm' might seem alarming. However, modern Linux systems (especially those using systemd) often have processes that don't show up in traditional listings. This is more of a compatibility quirk with chkrootkit than a red flag.
• "User Deleted" Messages: The "user deleted or never logged from lastlog!" messages are likely due to how ZorinOS sets up (or cleans up after) temporary user accounts during installation or updates.
Important Considerations
• chkrootkit Limitations: chkrootkit is helpful, but it's not foolproof. Sophisticated rootkits can evade detection, and false positives are possible.
• System Updates: Ensure ZorinOS is fully updated. Security patches often address vulnerabilities that rootkits exploit.
Recommendations
1. Don't Panic: Based on the results, there's no immediate cause for alarm.
2. Further Investigation (Optional): If you want extra reassurance, consider these additional steps:
◦ Rootkit Hunter (rkhunter): Run sudo apt install rkhunter && sudo rkhunter -c. This tool complements chkrootkit with additional checks.
◦ Manual Inspection (Advanced): If you're comfortable with the Linux command line, you can manually inspect suspicious files listed by chkrootkit. Compare their hashes to known good versions or examine their contents.
In Summary: While chkrootkit found a few things worth noting, they are most likely benign and related to the normal operation of your ZorinOS system. Keep your system updated, and if you have any lingering doubts, the additional recommendations can provide further peace of mind.

Here's what ChatGPT 4o mini analysis had to say:

Summary

From the output of chkrootkit that you provided, here’s a breakdown of what the results indicate:

  1. No Rootkits Detected: The output shows that no known rootkits were detected. This includes a wide range of known rootkits and malware, so this is a positive sign.

  2. Suspicious Files and Directories: There are a few files and directories listed under "suspicious files and dirs." These include:

    • /usr/lib/modules/5.15.0-113-generic/vdso/.build-id
    • /usr/lib/modules/5.15.0-117-generic/vdso/.build-id
    • /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
    • /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
    • /usr/lib/.build-id
    • /usr/lib/libreoffice/share/.registry

    These files are typically not dangerous by themselves. For example:

    • .build-id directories are used by the Linux kernel and are not inherently suspicious.
    • .jinfo files are related to Java installations.
    • .registry in LibreOffice might be related to user settings.

    The presence of these files is usually normal, but if you are uncertain, you might want to verify their purpose and origin, especially if you have had unusual system behavior.

  3. LKM Trojan Warning: The report notes that there are processes hidden from the readdir and ps commands:

    • chkproc: Warning: Possible LKM Trojan installed

    This is a bit concerning. LKM (Loadable Kernel Module) Trojans are known to hide processes or files to avoid detection. However, in some cases, this could be due to legitimate system configurations or virtual environments.

  4. No Other Signs of Compromise: The absence of evidence for sniffer tools, backdoors, or other types of malware is a good sign.

Recommendations

  • Investigate Hidden Processes: The warning about hidden processes should be taken seriously. Verify if any legitimate processes or kernel modules could be causing this. Sometimes this can be caused by security features or virtualization.

  • Update and Scan: Ensure your system is fully updated and consider running a more comprehensive scan with additional tools (e.g., rkhunter or Lynis) to cross-check.

  • Check System Integrity: Review the files and directories listed under suspicious files. You can use tools like md5sum to verify their checksums against known good values if you have them.

  • Consult Logs: Review system logs for any unusual activity that might be related to the hidden processes or the suspicious files.

If you are uncertain or if suspicious activity persists, consider seeking advice from a security expert or performing a deeper forensic analysis of your system.

I have packet sniffing software installed on my Zorin and have used it recently. The problem is figuring out how to determine whether the Packet Sniffer it picks up is harmless or spyware/malware.

chrootkit is known to have false positives. At the very least though, I would make sure you're aware of those users: username123 and testaccount.

1 Like

Interesring. I have never had any such results. I have had a couple of false positives/warnings when I have used it in the past, but no warnings of Trojans. How rootkit hunters work is they take a snapshot of what your system holds when it gets installed and run for the first time. If you install an application after you have installed and run chkrootkit for the first time you will get false positives. There is however a possible danger of introducing rootkits by installing third party tarballs which should be inspected before extracting third-party tarballs which I have covered in both Unofficial Manuals for Zorin 15 and 17.

I have just searched for "What are the vectors a rootkit uses to attack a Linux system?" (Note I haven't used the term GNU/Linux - Linux is the element, the kernel), that is susceptible to rootkits, and found this article from Linux Magazine from November last year:

1 Like

@ovo , thanks! Yes, username123 and testaccount are my accounts. :slight_smile:

Did you also run Rkhunter?
(but note that can also throw up false positives)

2 Likes

@ovo , @swarfendor437 , @zabadabadoo , I just updated my post and also added the analyses of three different A.I., Google Gemini A.I. ; Google gemini 1.5 pro and ChatGPT 4o mini.

All three are different and the latter two are very interesting.

2.) No I havent ran Rkhunter yet, but I already plan to :slight_smile:

1 Like

Interesting and more or less what I expected to read. i.e. Chrootkit found no rootkits and deleted nothing, other warnings can also be explained.

Under Zorin>Settings>Privacy do you have wifi checker enabled. Maybe try disabled.

Cross reference your Chrootkit findings with Rkhunter.

Rkhunter commands I currently use in sequence are:
(No longer use update as gives error. Update via Synaptic Package Manager)

sudo rkhunter --propupd --pkgmgr dpkg

> sudo rkhunter --update

sudo rkhunter --check --pkgmgr dpkg

sudo less /var/log/rkhunter.log

3 Likes

@zabadabadoo , thanks! and what does this below mean??

image

See this thread. Pings every 5 minutes

1 Like

Here are my rkhunter test results:

https://pastebin.com/raw/uERJPtLh

I have to use pastebin.com because zorin forum
humorously flags certain words, haha:

Here is gemini 1.0's analysis of it:

Summary

The rkhunter scan report does not indicate any direct evidence of malicious activity or rootkit infections on the system. However, there are a few points that warrant further investigation:

Suspicious Shared Memory Segment: The scan flagged a warning about the /usr/bin/nemo process using a large amount of shared memory (16MB), exceeding the configured limit of 1MB. While this could be a configuration or performance issue with the Nemo file manager, it's worth investigating further to rule out any potential security implications.
Hidden Directory: The scan also identified a hidden directory /etc/.java. Hidden directories are not inherently malicious, but they can sometimes be used to conceal malicious files or configurations. It's recommended to examine the contents of this directory to ensure it doesn't contain any suspicious files or scripts.
Disabled Tests: The report mentions that several tests were disabled at the user's request, including suspscan, hidden_ports, hidden_procs, deleted_files, packet_cap_apps, and apps. While there might be legitimate reasons to disable these tests, it's important to understand that doing so reduces the scan's comprehensiveness and could potentially allow certain threats to go undetected.
Overall, the rkhunter scan results suggest that the system is likely secure. However, it's crucial to address the flagged warning and investigate the hidden directory to ensure the system's integrity. Additionally, consider enabling the disabled tests in future scans to enhance the detection capabilities of rkhunter.

Here is gemini 1.5 pro's analysis of it:

Summary

You're right to be cautious! After a more thorough analysis, there are a number of red flags within the rkhunter log that strongly suggest your system may be compromised. While rkhunter didn't explicitly flag them as rootkits, the presence of these files and directories is highly unusual and consistent with known malware behavior.

Here's a breakdown of the most concerning findings:

Suspicious Strings:

Rkhunter repeatedly scanned for numerous strings related to known rootkits (e.g., '/usr/sbin/ntpsx', '/usr/sbin/.../bkit-ava', '/usr/lib/.../bkit-adore.o', '/tmp/.bkp', '/lib/.sso', etc.). The fact that rkhunter is checking for these specific strings in the first place is a sign that the rkhunter database considers them indicators of compromise. Even though it reports "OK" for each string, this is concerning. It suggests that rkhunter found these strings within system files but didn't recognize them as belonging to a specific known rootkit.

Many of these strings indicate attempts to hide files and directories using unusual naming conventions (e.g., '/usr/sbin/...', '/usr/lib/...', '/dev/.lib/lib/lib', etc.). This is a common tactic employed by rootkits.

Possible Rootkit Files and Directories:

While rkhunter reported "None found" for most of the specific rootkit names, it's important to pay attention to the "Performing check of possible rootkit files and directories" section. Rkhunter checked for a vast number of files and directories with unusual names or locations. The fact that it is checking for these files is a bad sign in itself. These names often suggest malicious intent (e.g., '/dev/hdx', '/dev/ptyy', '/tmp/.syshackfile', '/usr/lib/libhidefile.so', '/etc/ssh/.sshd_auth', '/var/run/.defunct', '/usr/bin/pojie', etc.).

What to Do:

Do NOT assume your system is safe. The "OK" results from rkhunter for these files are not reassuring. The tool may not have recognized the specific rootkit variant.

Back up essential data immediately. Only back up files you are confident are not infected. Ideally, use a separate, clean system for the backup.

Seek expert assistance. If you are not comfortable with advanced system analysis, it's highly recommended to consult a security professional. They can perform a more in-depth investigation and help you remediate the issue.

Consider a clean reinstallation. The most reliable way to ensure your system is clean is to wipe your hard drive and reinstall Zorin OS from a trusted source.

Important Notes:

This analysis is based solely on the provided rkhunter log. A full investigation would involve examining your system in more detail.

Rkhunter is a valuable tool, but it's not foolproof. It relies on a database of known rootkit signatures, which can be outdated. New or unknown rootkits may evade detection.

It's unfortunate to have to deal with a potential compromise, but it's essential to take these findings seriously and act quickly to protect your data and system.

GPT-4o-Mini-128k's analysis:

Summary

Based on the content of the "rkhunter results.txt," here’s an analysis of the findings:

Summary of Findings

  1. Rootkit Checks:

    • All rootkits checked returned as "Not found," meaning no known rootkits were detected on the system. This includes common rootkits like Adore, Suckit, and others.
  2. Warnings:

    • A warning was issued regarding a hidden directory: /etc/.java. This could indicate potential obfuscation or malicious activity, as hidden directories can be used to store unauthorized files.
  3. File Properties Checks:

    • All required system commands were found and checked successfully, indicating that the system is operational without suspicious modifications to core commands.
  4. Network Checks:

    • No suspicious ports were found, and no backdoor ports were detected. This is a positive sign for network security.
  5. Malware Checks:

    • No malware was found during the checks, and no suspicious running processes were detected.
  6. System Configurations:

    • The system logging daemon (rsyslog) and other configuration files were found and in order, but the SSH configuration file was not found, which might require further investigation.

Conclusion

Overall, the rkhunter output suggests that the system is in good standing, with no rootkits, malware, or suspicious network activity found. However, the hidden directory (/etc/.java) should be investigated further to ensure it is legitimate and does not pose a security risk.

@zabadabadoo ,

I turned off "Connectivity Checking" as you suggested(Zorin>Settings>Privacy).

Here are the results:

https://pastebin.com/raw/r9KZh98e

Here is Google gemini 1.0 A.I.'s analysis:

Summary

The chkrootkit scan results show a few points of concern that warrant further investigation:

  1. Hidden Processes: The output "You have 75 processes hidden for readdir command" and "You have 75 processes hidden for ps command" suggests that there might be processes attempting to conceal themselves, which is a common tactic used by rootkits. The subsequent "chkproc: Warning: Possible LKM Trojan installed" reinforces this concern, as LKM (Loadable Kernel Module) trojans can manipulate the kernel to hide their presence.

  2. Suspicious Files and Directories: The scan flagged several files and directories as suspicious. While some of these might be false positives, they should be examined more closely to determine their purpose and origin. The presence of .build-id files in unexpected locations like /usr/lib/modules/.../vdso/ could indicate modifications to system libraries. Similarly, the .registry file within the LibreOffice directory might be associated with unauthorized software installations or configuration changes.

  3. Network Activity: The output "wlp2s0: PACKET SNIFFER(/usr/sbin/wpa_supplicant[1868], /usr/sbin/wpa_supplicant[1868])" indicates that the wpa_supplicant process is operating in packet sniffing mode. While this might be legitimate for network troubleshooting or monitoring, it's crucial to ensure it's not being used for malicious purposes like capturing sensitive data.

  4. User Anomalies: The message "user testaccount deleted or never logged from lastlog!" and "user username123 deleted or never logged from lastlog!" suggests potential inconsistencies in user account records. This could be a sign of unauthorized access or attempts to cover tracks.

  5. Missing TTY Information: The "chkutmp: The tty of the following user process(es) were not found in /var/run/utmp" message, along with the list of processes, indicates a discrepancy between running processes and the system's record of user sessions. This could be another indicator of processes trying to evade detection.

Recommendations:

  • Further Investigation: The identified concerns require deeper analysis to determine if they represent actual threats. Manual inspection of the suspicious files, network traffic analysis, and review of system logs can help ascertain their legitimacy.
  • Consider Additional Tools: chkrootkit is a valuable tool, but it's not foolproof. Employing other rootkit detection tools and techniques can provide a more comprehensive assessment of the system's security.
  • Security Best Practices: Ensure the system is up-to-date with the latest security patches, use strong passwords, and restrict user privileges to minimize the potential impact of any compromise.

Overall, the chkrootkit results suggest potential indicators of compromise that necessitate further investigation. It's crucial to take these findings seriously and conduct a thorough analysis to ensure the system's integrity.

Here is google gemini 1.5' pro's analysis:

Summary

Let's break down those results. While some things look a bit unusual, most are not necessarily cause for major alarm on their own. Here's a detailed analysis:

Not Concerning (Mostly Expected):

Many "not found" messages: This is normal. chkrootkit checks for many tools, some of which are uncommon or not installed by default on ZorinOS.

"no suspect files" for various rootkits: This is good! It means chkrootkit didn't find files associated with those specific threats.

Suspicious files:

The paths in /usr/lib/modules/ and /usr/lib/.build-id relate to kernel modules and build information—likely not malicious.

/usr/lib/libreoffice/share/.registry is related to LibreOffice configuration and also probably benign.

/usr/lib/jvm/... paths are part of the Java runtime and likely fine unless you have specific concerns about Java security.

"lo: not promisc and no packet sniffer sockets": Your loopback interface (lo) is fine.

"chkwtmp: nothing deleted": No signs of tampering with login records.

"user testaccount deleted or never logged from lastlog!": This is expected if you have a user account that hasn't logged in yet.

Potentially Concerning (Needs Further Investigation):

"You have 75 process hidden for readdir command" and "You have 75 process hidden for ps command": This is the most unusual finding. It could indicate a rootkit trying to hide processes, but it's also possible this is a false positive due to how ZorinOS or certain system tools are configured.

"chkproc: Warning: Possible LKM Trojan installed": This is linked to the hidden process issue. An LKM Trojan is a kernel-level rootkit.

"wlp2s0: PACKET SNIFFER(/usr/sbin/wpa_supplicant[1868], /usr/sbin/wpa_supplicant[1868])": This indicates your wireless interface (wlp2s0) has a process (wpa_supplicant) capable of capturing network traffic. This is usually normal, as wpa_supplicant is responsible for Wi-Fi connections. However, it's worth double-checking if this process is legitimate or if anything else looks suspicious in your network activity.

Missing TTYs: The message about user processes with TTYs not found in /var/run/utmp is a bit unusual, but it could be due to how ZorinOS manages user sessions or background processes. It's worth investigating but not necessarily a critical threat on its own.

Recommendations:

Don't Panic: While the "hidden process" and "LKM Trojan" warnings are concerning, don't jump to conclusions. False positives with chkrootkit are possible.

Further Investigation:

Process Analysis: Use a tool like htop or ps aux to examine your running processes. Look for anything suspicious, especially processes running with root privileges (UID 0) that you don't recognize.

Network Monitoring: Consider using a tool like tcpdump or Wireshark (with caution!) to briefly monitor your network traffic. Look for any unusual outgoing connections, especially if you're not actively using the internet.

Rootkit-Specific Scans: Try other well-regarded rootkit detection tools (e.g., rkhunter, Sophos Anti-Rootkit) to see if they flag similar issues.

Security Best Practices: Even if the findings turn out to be benign, now is an excellent time to review and strengthen your system security:

Update ZorinOS: Ensure you have the latest security patches installed.

Strong Passwords: Use unique and complex passwords for all user accounts.

Firewall: Make sure your ZorinOS firewall is enabled and configured properly.

Antivirus/Anti-malware: Consider using a reputable antivirus or anti-malware program for additional protection and regular scans.

Seek Expert Help: If you're unsure about any findings or are uncomfortable performing the investigations above, consider seeking help from a cybersecurity professional or a trusted Linux expert.

Remember, staying proactive about security is key! Even if you don't find anything malicious this time, maintaining good security habits will significantly reduce your risks in the future.

Here is ChatGPT 4o mini's analysis:

Summary

Based on the chkrootkit results you provided, here are the key points to consider:

  1. Root Privileges Required: The command was run with sudo, which is necessary for a comprehensive scan.

  2. Not Infected Checks: Most checks (e.g., basename, cron, grep, etc.) returned "not infected," which is a positive sign.

  3. Suspicious Files Found:

    • Several suspicious files and directories were identified:
      • /usr/lib/modules/5.15.0-113-generic/vdso/.build-id
      • /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
      • /usr/lib/libreoffice/share/.registry
    • While these files are not definitive indicators of infection, their presence warrants further investigation.
  4. Hidden Processes:

    • The scan detected that 75 processes are hidden from commands like readdir and ps, which is concerning. This could indicate a rootkit or other malicious activity, as it suggests that some processes are deliberately concealed.
  5. Warning for LKM Trojan: The message about a possible Loadable Kernel Module (LKM) Trojan raises significant concern. This indicates the potential presence of a rootkit that can hide processes and files and manipulate system operations.

  6. User Deletions: There are indications that certain users have been deleted or have never logged in, which could suggest unauthorized activity.

  7. No Other Malware Detected: The scan did not find any known worms, trojans, or other malicious software types besides the warning about hidden processes.

Recommendations:

  • Immediate Action: Given the hidden processes and the indication of a potential LKM Trojan, it's advisable to investigate further:

    • Check for any unfamiliar processes or network activity.
    • Consider using additional tools for malware detection (e.g., rkhunter, malwarebytes).
    • Review system logs for any unauthorized access or unusual activity.
  • Backup Important Data: Ensure you have backups of any critical data in case the situation escalates.

  • Consider Reinstallation: If you confirm malicious activity, it may be safer to back up data and perform a clean installation of the operating system.

In conclusion, while many checks came back clean, the signs of hidden processes and a potential LKM Trojan warrant serious concern and prompt action.

Your Rkhunter log looks OK to me. The 1 Warning, relates to "suspicious (large) shared memory segments:

[17:10:17] Warning: The following suspicious (large) shared memory segments have been found:
[17:10:18] Process: /usr/bin/nemo PID: 1020741 Owner: username12 Size: 16MB (configured size allowed: 1.0MB)

I get similar, but for nautilus. I regard that Warning as a false positive.

Chkrootkit also found nothing and deleted nothing.
I am no expert on Rkhunter or Chkrootkit but suspect AI is not much better but their written output appears more compelling/convincing or even scary than maybe it should.

PS: Malwarebytes is good for Windows, but not available on Linux.

1 Like

@zabadabadoo , thanks! i was wondering if i could use Malwarebytes with linux, now i know.

I installed and used ESET Endpoint Antivirus for Linux, it worked good, but there are literally no settings for it that I can find, and it will quarantine and remove files that are merely false alarms, because of that I cant use it! :frowning: I need to configure it to where it will only notify of detected potentially dangerous files.