Richard Holloway Blog

chkutmp in chkrootkit identifies mingetty process as hidden

Posted in June 2012 by under sysadmin

When running chkrootkit, chkutmp may report mingetty processes as being hidden.

The output will look something like

Checking `chkutmp`...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3032 tty2   /sbin/mingetty tty2
! root         3035 tty3   /sbin/mingetty tty3
! root         3036 tty4   /sbin/mingetty tty4
! root         3047 tty6   /sbin/mingetty tty6
chkutmp: nothing deleted
            

According to Deron Meranda :

This warning from chkrootkit can be ignored for getty-type processes, such as /sbin/mingetty. It is normal behvior for a getty process to be attached to a tty device, yet not have an audit entry recorded in the utmp file. In fact, it is getty in combination with login that creates those utmp entries. But while getty is sitting on a tty device waiting for a user to login, the state that chkutmp reports is normal.

It is proper though that chkrootkit detects this sort of condition though, because it could indicate a process trying to "hide". However it should have the getty processes as an explicit exception to the rule. But non-getty processes should be reported.

See: http://forums.fedoraforum.org/archive/index.php/t-66259.html for this in context.

What you can do to clear this is to kill each process as root. So in this example

kill -9 3032
kill -9 3035
kill -9 3036
kill -9 3047
            

New mingetty processes will be spawned automatically. Then run chkrootkit again should be all clear.