LKM Trojan
Pedro Fernandes Macedo
webmaster at margo.bijoux.nom.br
Wed Dec 1 00:20:53 UTC 2004
david walcroft wrote:
> Would these be a 'false positive' or for real and if so how do I
> confirm and remove any infected process/trojan
>
> Thanks david
>
There's a high chance that these are false positives... Run chkrootkit
with the verbose option and it'll show the PID of the processes...
Then , check the /proc/$PID/ directory.. the "status" file will give u
the program name... and the other files (specially environ and cmdline)
will give more details.
and for the path of the file , check the symlink "exe" in that folder..
I used to have lots of false positives , so I just quit using chkrootkit
(as my machine isnt all that sensitive and I secured it the best I can..)..
--
Pedro Macedo
More information about the fedora-list
mailing list