Test with Chkrootkit

[Norman Nunn]

In one of my post, I indicated with the upgrade to 0.43, that all the
original indicators (infections, hidden files and potential Trojan) were
eliminated from the output.  

However, /chkrootkit-0.43/chkproc -v specifically list the hidden files
anyway, and the number of hidden files varies during the run without
restarting the PC.  The PID numbers used seem to repeat but do not stick
with the links in the /proc/<PID> directories which are hidden from my
file manager.  Something causes them to pop up from time to time; I
would like to know if there is anything wrong with that.

Norm

On Sun, 2004-07-25 at 18:43, Scot L. Harris wrote:
> On Sun, 2004-07-25 at 20:57, John Dangler wrote:
> > [snip] 
> > 
> > >There is a known problem with some versions of chkrootkit on Fedora.  It
> > >wrongly identifies a number of processes as hidden.
> > 
> > That's why I just installed the latest version before making the comment.
> > 
> > >The original poster reported that the latest version from the chkrootkit
> > >site no longer has this problem.  
> > 
> > If the "latest version" is .43, and the kernel is the latest 2.6.6, then it
> > still has the problem.
> 
> The original poster was reporting that ls was infected along with hidden
> processes.  
> 
> I thought he had indicated that a newer version resolved all the issues
> but maybe it just resolves the ls issue.  Plus I believe he pulled the
> sources for chkrootkit from the web site not the RPM that is available.
> 
> The hidden process problem may not be fixed and from reading some
> additional postings on the subject it may not be fixable.  Seems there
> may be a race condition in chkrootkit looking for hidden processes.  
> -- 
> Scot L. Harris
> webid at cfl.rr.com
> 
> Fortune's Office Door Sign of the Week:
> 
> 	Incorrigible punster -- Do not incorrige. 
>