Test with Chkrootkit

[Norman Nunn]

Geoffrey, Thanks for your feedback.  

I feel like I am wondering around in the dark on occasion, but when I
ran chkproc -v and checked the pid list, they were all hidden
directories in /proc that appeared similar but with exe linked to
different commands and with cwd linked to my home directory. Not sure
what to look for. 

These hidden directories do not show up in a file manager like the /~
hidden directories do.  The exe links include gnome-vfs-daemon, nautilus
and evolution-1.4 with nautilus and evolution-1.4 repeating.

Any ideas??  They all have todays date but I wondered if these were
errant processes. 

Norm 

On Sun, 2004-07-25 at 15:26, Geoffrey Leach wrote:
> On 07.25 13:44, Gene Heskett wrote:
> > On Sunday 25 July 2004 11:52, Norman Nunn wrote:
> > >I got the following indicators:
> > >
> > >ls INFECTED
> > >22 process hidden for readdir command
> > >22 process hidden for ps command
> > >Warning: Possible LKM Trojan installed
> > 
> > Yup, you've been rooted, pull the network cable and see if you can
> > reboot to the distribution and refresh the other tools, like ls, top,
> > and a bunch of others.  You may have to get aquainted with a command
> > called chattr because these jerks tend to set the immutable bit on
> > their replacement versions.
> >
> 
> > >On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote:
> > >> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote:
> > >> > In checking the chkrootkit website, I noticed that chkrootkit
> > >> > had not been tested (or completed testing) with the 2.6 kernel.
> > >> > Is it reliable for FC2?  I have some indicator that may prompt
> > >> > me to do a fresh reinstall and would appreciate input before I
> > >> > go to that effort. Clamscan did not pickup anything for me.
> 
> To further analyze the problem, run ./chkproc -v to get a list of the  
> hidden processes, then run cat /proc/<pid>/cmd to see the processes  
> that are hidden.
> 
> BTW, I'm using version 0.43 on a 2.6 kernel.  Works fine, as far as I  
> can tell.
>