[Solved] Chkrootkit -q result

Hello again,

I got the result for command and don’t know how to analysis it. Can you help ? Thanks.

The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! Debian-+ 863 tty1 /usr/bin/Xwayland :1024 -rootless -noreset -listen 4 -listen 5 -displayfd 6
! Debian-+ 823 tty1 /usr/lib/gdm3/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart
! Debian-+ 830 tty1 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
! Debian-+ 24498 tty1 /usr/lib/gnome-settings-daemon/gnome-settings-daemon
! Debian-+ 838 tty1 /usr/bin/gnome-shell
! Debian-+ 928 tty1 xbrlapi -q
! root 1425 pts/0 bash
! root 1702 pts/1 bash
! root 21264 pts/1 nmap 192.168.1.0/24 -O -vv
! root 21271 pts/2 bash
! root 21298 pts/2 tail -f galaxy
! root 24373 pts/3 bash
! root 24819 pts/4 /bin/bash
! root 25843 pts/4 /bin/sh /usr/sbin/chkrootkit -q
! root 26421 pts/4 ./chkutmp
! root 26423 pts/4 ps axk tty,ruser,args -o tty,pid,ruser,args
! root 24817 pts/4 sh -c chkrootkit -h;${SHELL:-bash}
! root 26422 pts/4 sh -c ps axk “tty,ruser,args” -o “tty,pid,ruser,args”

What command did you run?

chkrootket -q

If you look at the man page for utmp you will see …

The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.

Warning: utmp must not be writable, because many system programs (foolishly) depend on its integrity. You risk faked system logfiles and modifications of system files if you leave utmp writable to any user.

So…

**utmp** should have a list (in binary format) of all running user processes
**chkrootkit** compares all the user processes running in the system with what is registered in _/var/run/utmp_, reporting the fact that one process being run by root is not registered.

That doesn’t mean that it is a rootkit or data logger. But it might be.

So you need to track down whether or not this registration is since malware would likely be written to avoid being registered.

Thanks you very much for your reply. I am using Kali Linux and learning to hack and defense end point. However I am just a newbie, and term like utmp sounds new for me. I also can not figure out way to "track down whether or not this registration is since malware " Can you let me know how ?

Thanks again.

Watch the whole section of vol 4 on malware and hacker hunting. You will understand more.