Re: My machine compromised?
On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote:
> Hi folk,
> After reading on report of servers compromised. Just for curiorsity I
> run chkrootkit on my own machine and come up with this result:
>
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... You have 12 process hidden for readdir command
> You have 12 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'...
> eth0: PROMISC
>
> Is my machine compromised? How to fix this?
>
> Vanh
>
If its unstable, then there is a bug with chkrootkit.
do a ps ax and see how many processes you have with pid 0. Don't
remember the criterion, but some processes owned by the kernel are
started with the kernel's pid which is 0 (I hope I am not mixing things
up, but that is the essential idea, search the archives on this if you
want the exact story).
also try running /usr/lib/chkrootkit/chkproc -v and it will tell you
exactly which processes are seen as hidden. You can then try to do:
cat /proc/<pid>/status (hoping that wasn't compromised if the computer
was, which it probably wasn't) to see what the process actually is.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: