Need some help with a hacker exorcism....
Michael ODonnell
michael.odonnell at comcast.net
Tue May 18 08:49:00 EDT 2004
>> CHECKING: "lkm"
>> You have 17 process hidden for readdir command
>> You have 17 process hidden for ps command
>> - WARNING!! INFECTED!! Possible LKM Trojan installed
>
>What produced this output?
Those look like msgs generated by chkrootkit. FWIW:
chkrootkit does unfortunately generate false positives
from time to time, reporting about "mysterious"
processes that are not in fact a threat. Most recent
example for me: I installed X from xfree86.org and
afterwards chkrootkit decided that I had 2 hidden
processes that were probably LKM trojans; this stopped
after a subsequent X update.
One problem is that chkrootkit reportedly gets excited
when the output from ps doesn't correlate with what's
visible under /proc, an inherently fraught situation
since the system's state is always changing.
I'm not counselling anybody to routinely ignore such
warning messages, just pointing out that chkrootkit
does apparently have this false-positive problem.
I still like and use chkrootkit (it recently found
t0rn8 on a buddy's machine) and believe it's a useful
tool to have in your kit.
LKM==LinuxKernelModule
More information about the gnhlug-discuss
mailing list