Test with Chkrootkit
Geoffrey Leach
geoff at direcway.com
Sun Jul 25 22:26:41 UTC 2004
On 07.25 13:44, Gene Heskett wrote:
> On Sunday 25 July 2004 11:52, Norman Nunn wrote:
> >I got the following indicators:
> >
> >ls INFECTED
> >22 process hidden for readdir command
> >22 process hidden for ps command
> >Warning: Possible LKM Trojan installed
>
> Yup, you've been rooted, pull the network cable and see if you can
> reboot to the distribution and refresh the other tools, like ls, top,
> and a bunch of others. You may have to get aquainted with a command
> called chattr because these jerks tend to set the immutable bit on
> their replacement versions.
>
> >On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote:
> >> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote:
> >> > In checking the chkrootkit website, I noticed that chkrootkit
> >> > had not been tested (or completed testing) with the 2.6 kernel.
> >> > Is it reliable for FC2? I have some indicator that may prompt
> >> > me to do a fresh reinstall and would appreciate input before I
> >> > go to that effort. Clamscan did not pickup anything for me.
To further analyze the problem, run ./chkproc -v to get a list of the
hidden processes, then run cat /proc/<pid>/cmd to see the processes
that are hidden.
BTW, I'm using version 0.43 on a 2.6 kernel. Works fine, as far as I
can tell.
More information about the fedora-list
mailing list