Re: LKM?

To: debian-user@lists.debian.org
Subject: Re: LKM?
From: Tom <tb.31123.nospam@comcast.net>
Date: Fri, 28 Nov 2003 10:00:40 -0800
Message-id: <[🔎] 20031128180040.GA674@comcast.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20031128170010.GA8503@test>
References: <[🔎] 20031128170010.GA8503@test>

On Fri, Nov 28, 2003 at 11:00:10AM -0600, Kevin C. Smith wrote:

Not a problem.
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&threadm=3d9c250c.0311132131.7dae9e79%40posting.google.com&rnum=2&prev=/groups%3Fq%3D%2522possible%2Blkm%2Btrojan%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8%26selm%3D3d9c250c.0311132131.7dae9e79%2540posting.google.com%26rnum%3D2

> Running Debian Sid.
> 
> chkrootkit-0.42b reports:
> 
> Checking `lkm'... You have     4 process hidden for ps command
> Warning: Possible LKM Trojan installed
> 
> There are four PID which report as '0' 
> 
> lappy:~$ ps ax
>   PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:04 init [2]
>     2 ?        SW     0:00 [keventd]
>     3 ?        SW     0:00 [kapmd]
>     0 ?        SWN    0:00 [ksoftirqd_CPU0]
>     0 ?        SW     0:00 [kswapd]
>     0 ?        SW     0:00 [bdflush]
>     0 ?        SW     0:00 [kupdated]
> 
> /proc/ shows the following processes: 4, 5, 6, and 7 which appear to be
> the ones showing up as '0'.
> 
> lappy:/proc/4$ ls -al
> ls: cannot read symbolic link cwd: Permission denied
> ls: cannot read symbolic link root: Permission denied
> ls: cannot read symbolic link exe: Permission denied
> total 0
> dr-xr-xr-x    3 root     root            0 2003-11-28 11:01 ./
> dr-xr-xr-x   75 root     root            0 2003-11-28 10:13 ../
> -r--r--r--    1 root     root            0 2003-11-28 11:02 cmdline
> lrwxrwxrwx    1 root     root            0 2003-11-28 11:02 cwd
> -r--------    1 root     root            0 2003-11-28 11:02 environ
> lrwxrwxrwx    1 root     root            0 2003-11-28 11:02 exe
> dr-x------    2 root     root            0 2003-11-28 11:02 fd/
> -r--r--r--    1 root     root            0 2003-11-28 11:02 maps
> -rw-------    1 root     root            0 2003-11-28 11:02 mem
> -r--r--r--    1 root     root            0 2003-11-28 11:02 mounts
> lrwxrwxrwx    1 root     root            0 2003-11-28 11:02 root
> -r--r--r--    1 root     root            0 2003-11-28 11:02 stat
> -r--r--r--    1 root     root            0 2003-11-28 11:02 statm
> -r--r--r--    1 root     root            0 2003-11-28 11:02 status
> 
> The links cwd, root, and exe appear to be broken.
> 
> Is this a problem? Or is this normal for SID. Maybe Devfs related?
> 
> Thoughts and suggestions would be helpful. Thanks.
> 
> 
> Kevin C. Smith
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- LKM?
  - From: "Kevin C. Smith" <smithkevinc@mchsi.com>

Prev by Date: Re: A web-based frontend to apt (or, configuring a new pseudo-protocol)
Next by Date: Re: LKM?
Previous by thread: LKM?
Next by thread: Re: LKM?
Index(es):
- Date
- Thread