chkrootkit results:
Summary
sudo chkrootkit
ROOTDIR is /' Checking
amd'... not found
Checking basename'... not infected Checking
biff'... not found
Checking chfn'... not infected Checking
chsh'... not infected
Checking cron'... not infected Checking
crontab'... not infected
Checking date'... not infected Checking
du'... not infected
Checking dirname'... not infected Checking
echo'... not infected
Checking egrep'... not infected Checking
env'... not infected
Checking find'... not infected Checking
fingerd'... not found
Checking gpm'... not found Checking
grep'... not infected
Checking hdparm'... not infected Checking
su'... not infected
Checking ifconfig'... not infected Checking
inetd'... not infected
Checking inetdconf'... not found Checking
identd'... not found
Checking init'... not infected Checking
killall'... not infected
Checking ldsopreload'... not infected Checking
login'... not infected
Checking ls'... not infected Checking
lsof'... not infected
Checking mail'... not found Checking
mingetty'... not found
Checking netstat'... not infected Checking
named'... not found
Checking passwd'... not infected Checking
pidof'... not infected
Checking pop2'... not found Checking
pop3'... not found
Checking ps'... not infected Checking
pstree'... not infected
Checking rpcinfo'... not found Checking
rlogind'... not found
Checking rshd'... not found Checking
slogin'... not infected
Checking sendmail'... not found Checking
sshd'... not found
Checking syslogd'... not tested Checking
tar'... not infected
Checking tcpd'... not found Checking
tcpdump'... not infected
Checking top'... not infected Checking
telnetd'... not found
Checking timed'... not found Checking
traceroute'... not found
Checking vdir'... not infected Checking
w'... not infected
Checking write'... not infected Checking
aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for rootkit HiDrootkit's default files... nothing found
Searching for rootkit t0rn's default files... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for rootkit Lion's default files... nothing found
Searching for rootkit RSHA's default files... nothing found
Searching for rootkit RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/modules/5.15.0-113-generic/vdso/.build-id /usr/lib/modules/5.15.0-117-generic/vdso/.build-id /usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo /usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo /usr/lib/.build-id /usr/lib/python3/dist-packages/PyQt5/uic/widget-plugins/.noinit /usr/lib/libreoffice/share/.registry
/usr/lib/modules/5.15.0-113-generic/vdso/.build-id /usr/lib/modules/5.15.0-117-generic/vdso/.build-id /usr/lib/.build-id /usr/lib/libreoffice/share/.registry
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for Sh(censored letter i)tC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... nothing found
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for Mumblehard Linux ... nothing found
Searching for Backdoor.Linux.Mokes.a ... nothing found
Searching for Malicious TinyDNS ... nothing found
Searching for Linux.Xor.DDoS ... nothing found
Searching for Linux.Proxy.1.0 ... nothing found
Searching for CrossRAT ... nothing found
Searching for Hidden Cobra ... nothing found
Searching for Rocke Miner ... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking asp'... not infected Checking
bindshell'... not infected
Checking lkm'... You have 6 process hidden for readdir command You have 6 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed chkdirs: nothing detected Checking
rexedcs'... not found
Checking sniffer'... lo: not promisc and no packet sniffer sockets wlp2s0: PACKET SNIFFER(/usr/sbin/NetworkManager[1738], /usr/sbin/wpa_supplicant[1749], /usr/sbin/wpa_supplicant[1749]) lxcbr0: not promisc and no packet sniffer sockets Checking
w55808'... not infected
Checking wted'... chkwtmp: nothing deleted Checking
scalper'... not infected
Checking slapper'... not infected Checking
z2'... user testaccount deleted or never logged from lastlog!
user username123 deleted or never logged from lastlog!
Checking chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! usernam+ 2726 tty2 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -novtswitch -verbose 3 ! usernam+ 2724 tty2 /usr/libexec/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=zorin /usr/bin/gnome-session --session=zorin ! usernam+ 2736 tty2 /usr/libexec/gnome-session-binary --systemd --session=zorin ! usernam+ 1172831 pts/0 bash ! root 1197948 pts/1 /bin/sh /usr/sbin/chkrootkit ! root 1200713 pts/1 ./chkutmp ! root 1200717 pts/1 ps axk tty,ruser,args -o tty,pid,ruser,args ! root 1200716 pts/1 sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args" ! root 1197945 pts/1 sudo chkrootkit ! usernam+ 1180155 pts/1 bash chkutmp: nothing deleted Checking
OSX_RSPLUG'... not tested
And here is Google Gemini A.I.'s opinion of the results:
Summary
The output of sudo chkrootkit shows a few potential issues:
- Possible LKM Trojan: The warning "chkproc: Warning: Possible LKM Trojan installed" suggests that there might be a Loadable Kernel Module (LKM) rootkit on your system. LKM rootkits are particularly stealthy and difficult to detect.
- Hidden Processes: The messages "You have 6 process hidden for readdir command" and "You have 6 process hidden for ps command" indicate that some processes are trying to hide themselves from the system's process listing tools. This is another potential sign of a rootkit or other malicious software.
- Missing TTYs: The message "The tty of the following user process(es) were not found in /var/run/utmp !" lists several processes whose terminal devices (TTYs) are not properly registered. While this could be a benign issue, it's worth investigating further.
- Deleted or Never Logged Users: The message "user testaccount deleted or never logged from lastlog!" and "user username123 deleted or never logged from lastlog!" indicates that these user accounts exist but have either been deleted or have never logged in. This might be normal, but it's worth checking if you're unsure about these accounts.
- Packet Sniffer: The message "wlp2s0: PACKET SNIFFER..." indicates that NetworkManager and wpa_supplicant are using packet sniffing on your wireless interface. This is usually normal behavior for network management and Wi-Fi connectivity, but it's something to be aware of.
Recommendations:
- Investigate Further: The "Possible LKM Trojan" and hidden processes are the most concerning findings. You should investigate these further to determine if they are legitimate or malicious. Consider using additional security tools or seeking help from a security professional.
- Review User Accounts: Check the "testaccount" and "username123" accounts to ensure they are legitimate and not remnants of a compromise. If you're unsure, consider deleting them or changing their passwords.
- Monitor Network Activity: Be mindful of the packet sniffing on your wireless interface. If you notice any unusual network activity, investigate it further.
- Stay Updated: Keep your system and software up-to-date to protect against known vulnerabilities that rootkits and other malware might exploit.
- Consider a Reinstall: If you're highly concerned about the potential compromise, consider backing up your data and reinstalling your operating system. This is the most thorough way to ensure your system is clean.
Important: Chkrootkit did not automatically delete anything. It only reported its findings. You'll need to take further action if you want to remove any potential threats.
Here is what Google gemini 1.5 pro analysis had to say:
Summary
Let's break down the chkrootkit results and see what's what.
The Good News
• Mostly "Not Infected": The majority of your output shows "not infected" or "not found" for specific checks. This is a positive sign, suggesting that many common rootkit components haven't been detected.
• No Known Rootkits: chkrootkit actively searches for signatures and behaviors of known rootkits. You didn't get any hits for these, which is a good indication.
Points to Investigate (and Likely Benign)
• Suspicious Files/Directories: Let's address these one by one:
◦ /usr/lib/modules/...vdso/.build-id: These are related to your kernel (the core of your operating system) and are almost certainly safe. The ".build-id" helps with debugging.
◦ /usr/lib/jvm/...jinfo: Java Virtual Machine-related. If you use Java programs, these are expected.
◦ /usr/lib/.build-id: Another debugging aid, likely harmless.
◦ /usr/lib/python3/.../.noinit: Part of the Python programming language environment, likely fine.
◦ /usr/lib/libreoffice/share/.registry: LibreOffice configuration, not a security concern.
• Packet Sniffers: The tool flagged NetworkManager and wpa_supplicant as potential packet sniffers. This is normal. NetworkManager manages your network connections, and wpa_supplicant handles Wi-Fi security. They need to inspect network traffic to do their jobs correctly.
• Hidden Processes: The "6 processes hidden for readdir/ps" message from 'lkm' might seem alarming. However, modern Linux systems (especially those using systemd) often have processes that don't show up in traditional listings. This is more of a compatibility quirk with chkrootkit than a red flag.
• "User Deleted" Messages: The "user deleted or never logged from lastlog!" messages are likely due to how ZorinOS sets up (or cleans up after) temporary user accounts during installation or updates.
Important Considerations
• chkrootkit Limitations: chkrootkit is helpful, but it's not foolproof. Sophisticated rootkits can evade detection, and false positives are possible.
• System Updates: Ensure ZorinOS is fully updated. Security patches often address vulnerabilities that rootkits exploit.
Recommendations
1. Don't Panic: Based on the results, there's no immediate cause for alarm.
2. Further Investigation (Optional): If you want extra reassurance, consider these additional steps:
◦ Rootkit Hunter (rkhunter): Run sudo apt install rkhunter && sudo rkhunter -c. This tool complements chkrootkit with additional checks.
◦ Manual Inspection (Advanced): If you're comfortable with the Linux command line, you can manually inspect suspicious files listed by chkrootkit. Compare their hashes to known good versions or examine their contents.
In Summary: While chkrootkit found a few things worth noting, they are most likely benign and related to the normal operation of your ZorinOS system. Keep your system updated, and if you have any lingering doubts, the additional recommendations can provide further peace of mind.
Here's what ChatGPT 4o mini analysis had to say:
Summary
From the output of chkrootkit
that you provided, here’s a breakdown of what the results indicate:
-
No Rootkits Detected: The output shows that no known rootkits were detected. This includes a wide range of known rootkits and malware, so this is a positive sign.
-
Suspicious Files and Directories: There are a few files and directories listed under "suspicious files and dirs." These include:
/usr/lib/modules/5.15.0-113-generic/vdso/.build-id
/usr/lib/modules/5.15.0-117-generic/vdso/.build-id
/usr/lib/jvm/.java-1.11.0-openjdk-amd64.jinfo
/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo
/usr/lib/.build-id
/usr/lib/libreoffice/share/.registry
These files are typically not dangerous by themselves. For example:
.build-id
directories are used by the Linux kernel and are not inherently suspicious..jinfo
files are related to Java installations..registry
in LibreOffice might be related to user settings.
The presence of these files is usually normal, but if you are uncertain, you might want to verify their purpose and origin, especially if you have had unusual system behavior.
-
LKM Trojan Warning: The report notes that there are processes hidden from the
readdir
andps
commands:chkproc: Warning: Possible LKM Trojan installed
This is a bit concerning. LKM (Loadable Kernel Module) Trojans are known to hide processes or files to avoid detection. However, in some cases, this could be due to legitimate system configurations or virtual environments.
-
No Other Signs of Compromise: The absence of evidence for sniffer tools, backdoors, or other types of malware is a good sign.
Recommendations
-
Investigate Hidden Processes: The warning about hidden processes should be taken seriously. Verify if any legitimate processes or kernel modules could be causing this. Sometimes this can be caused by security features or virtualization.
-
Update and Scan: Ensure your system is fully updated and consider running a more comprehensive scan with additional tools (e.g.,
rkhunter
orLynis
) to cross-check. -
Check System Integrity: Review the files and directories listed under suspicious files. You can use tools like
md5sum
to verify their checksums against known good values if you have them. -
Consult Logs: Review system logs for any unusual activity that might be related to the hidden processes or the suspicious files.
If you are uncertain or if suspicious activity persists, consider seeking advice from a security expert or performing a deeper forensic analysis of your system.