pp at ee.oulu.fi
Wed Apr 14 18:31:46 UTC 2004
On Wed, Apr 14, 2004 at 09:46:16AM -0800, t l wrote:
> While waiting for 56 updates to download, I installed and ran "chkrootkit-0.43" from www.chkrootkit.org. (I was impressed by the reports of intrusions/breaks at Stanford Solaris/Linux systems.
> Running it produces the following warning:
> Checking `lkm'... You have 7 process hidden for readdir command
> You have 7 process hidden for ps command
> Warning: Possible LKM Trojan installed
> I was running this on kernel-2.6.5-1.319 (update to 322 in progress), with "setenforce 0".
> Anything I should be concerned about?
Probably not (chkrootkit gives false positives with NPTL, basically).
What you want to do is run chkproc -v from chkrootkit, and check
/proc/<pid>/cmdline and/or ps -efT against the pids it reports.
Most likely they'll be something like nautilus and mozilla, which
do show up like that normally.
Of course if you're compromised you can't trust anything other than
booting off known-good media and checking every file you have :-/
More information about the fedora-test-list