Possible Rootkit?

Hello,

This morning mysql stopped working for all of our sites, and I determined it was because the /var/tmp/mysql.sock symbolic link was deleted. Re-added and now its all OK.

I was trying to think of how this couldve been deleted all on its own. I immediately scanned for rootkits. chkrootkit says I have a possible LKM trojan installed. It seems no matter when I run chkrootkit, it always says I have 4 processes hidden. However, when I run rkhunter, it does not detect LKM nor any other rootkit.

However, rkhunter does detect this:

Checking for differences in user groups... Found differences

Do you guys think chkrootkit is a false alarm? Anyone know what to do about the rkhunter warning? Anyone know how the mysql.sock symbolic link could just disappear?

Thanks,
Dan

 

 

 

 

Top