One of these known false entries is 'Slapper Worm'
Slapper Worm may be a false entry if a process was running when CHKROOTKIT started, and it finished before CHKROOTKIT finished running.
To verify this wait a couple minutes after you get your CHKROOTKIT Report via e-mail, or after you run it on command line. After you wait 1 - 2 minutes you should simply login to your server VIA ssh and run CHKROOTKIT again. If it comes up Checking `slapper'... not infected then you know it was a false entry. If it comes up again telling you Checking `slapper'... Warning: Possible Slapper Worm installed then you should wait a minute and run the CHKROOTKIT a 3rd time to verify it is really installed. If it is you need to take measures to secure your server now, and attempt at removing the slapper worm or re-installing and re-loading your data and hardening your server again.
If you run a cPanel server BindShell is a false entry as well. (Happens on all cPanel Servers) |
