chkutmp in chkrootkit identifies mingetty process as hidden
When running chkrootkit, chkutmp may report mingetty processes as being hidden.
The output will look something like:
Checking `chkutmp`... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 3032 tty2 /sbin/mingetty tty2 ! root 3035 tty3 /sbin/mingetty tty3 ! root 3036 tty4 /sbin/mingetty tty4 ! root 3047 tty6 /sbin/mingetty tty6 chkutmp: nothing deleted
According to Deron Meranda :
This warning from chkrootkit can be ignored for getty-type processes, such as /sbin/mingetty. It is normal behvior for a getty process to be attached to a tty device, yet not have an audit entry recorded in the utmp file. In fact, it is getty in combination with login that creates those utmp entries. But while getty is sitting on a tty device waiting for a user to login, the state that chkutmp reports is normal.
It is proper though that chkrootkit detects this sort of condition though, because it could indicate a process trying to "hide". However it should have the getty processes as an explicit exception to the rule. But non-getty processes should be reported.
See: http://forums.fedoraforum.org/archive/index.php/t-66259.html for this in context.
What you can do to clear this is to kill each process as root. So in this example:
kill -9 3032 kill -9 3035 kill -9 3036 kill -9 3047
New mingetty processes will be spawned automatically. Then run chkrootkit again should be all clear.
ABOUT THE AUTHOR
Richard Holloway is a PHP developer and System Administrator based in West Sussex