chkrootkit says possible lkm rootkit installed
Michael Schwendt
fedora at wir-sind-cool.org
Thu Jun 17 10:51:48 UTC 2004
On Thu, 17 Jun 2004 08:46:38 +0200 (CEST), Roger Grosswiler wrote:
> hi,
>
> i let chkrootkit running and get the following:
>
> Checking `lkm'... You have 6 process hidden for readdir command
> You have 6 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
>
> does anybody have the same? could this be a false positive?
Yes to the latter. chkrootkit doesn't support any special changes in the
2.6 kernel yet. This has been discussed before and should be in the
archives. Run '/usr/lib/chkrootkit-0.43/chkproc -v', note the process IDs
which are listed, and then via the /proc/$PID system examine the processes
which are listed. You'll find that these are false positives, which
are hidden, and 'ps -m' (and other options) don't find them either.
More information about the fedora-list
mailing list