I am running rkhunter and it says its infected or found hidden processes?

First, you need to understand that if your VPS is compromised, then its already too late. So what will rkhunter do? It can only verify that you are hacked to a root level. It will not protect you.

If you just got your new VPS and you run some rkhunter or chkrootkit, that may give you a lot of false positives. An example:

Checking bindshell... INFECTED (PORTS: 465)
Checking lkm... You have 90 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

You also need to understand that a VPS is a virtual server, so many of the chkrootkit tests that are performed on real machines may fail on your VPS. 

For example these binaries may fail the test:

/sbin/insmod
/sbin/lsmod
/sbin/modprobe

as they are not the default ones that come with the OS, instead they are modified files to work for a virtual server.

So what do you do? If you feel someone has hijacked your VPS (or server) at the root level, open a support ticket and ask support to check it for you. 
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

VZPP shows MySQL and httpd down?

If you have cPanel, this is due to incompatiblity between the VPS system and cPanel. The VPS...

What name servers do I use for my domains on my VPS?

Please register your private name servers using the tutorial that applies to your domain...

I would like to change the OS (operating system) of my VPS. How can I do that?

If you would like to change the OS of your VPS, you need to take a complete backup of any of your...

Which Linux flavor do you recommend for my VPS and why?

We recommend enterprise level operating systems such as CentOS. This is because it has the most...

I have a shared/reseller account. Why should I upgrade to VPS?

VPS is a virtual private server that gives you a separate process environment not shared by other...