Test with Chkrootkit
Gene Heskett
gene.heskett at verizon.net
Sun Jul 25 20:44:32 UTC 2004
On Sunday 25 July 2004 11:52, Norman Nunn wrote:
>I got the following indicators:
>
>ls INFECTED
>22 process hidden for readdir command
>22 process hidden for ps command
>Warning: Possible LKM Trojan installed
Yup, you've been rooted, pull the network cable and see if you can
reboot to the distribution and refresh the other tools, like ls, top,
and a bunch of others. You may have to get aquainted with a command
called chattr because these jerks tend to set the immutable bit on
their replacement versions.
>The number of hidden command changes.
>
>Thanks for your input.
>
>Norm
>
>On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote:
>> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote:
>> > In checking the chkrootkit website, I noticed that chkrootkit
>> > had not been tested (or completed testing) with the 2.6 kernel.
>> > Is it reliable for FC2? I have some indicator that may prompt
>> > me to do a fresh reinstall and would appreciate input before I
>> > go to that effort. Clamscan did not pickup anything for me.
>> >
>> > Norm
>>
>> What is the indication you are getting?
>>
>> Is it processes that appear to be hidden?
>>
>> I believe that is a known issue. If you investigate further I
>> believe those processes are fine. chkrootkit does need to be
>> updated/modified to correctly identify those processes.
>>
>> --
>> Scot L. Harris
>> webid at cfl.rr.com
>>
>> Nothing is more admirable than the fortitude with which
>> millionaires tolerate the disadvantages of their wealth.
>> -- Nero Wolfe
--
Cheers, Gene
There are 4 boxes to be used in defense of liberty.
Soap, ballot, jury, and ammo.
Please use in that order, starting now. -Ed Howdershelt, Author
Additions to this message made by Gene Heskett are Copyright 2004,
Maurice E. Heskett, all rights reserved.
More information about the fedora-list
mailing list