Re: Possible LKM Trojan , Need Help - Thank You
On Sat, Nov 29, 2003 at 10:58:31AM -0500, Paul Morgan wrote:
> On Sat, 29 Nov 2003 05:49:31 -0500, Thomas H. George wrote:
>
> > chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command.
> >
> > Before reformating the hard drive and reinstalling Debian, started a dvd
> > backup using growisofs.
> > The backup of /usr was successful, backup of /var failed with duplicate
> > names in /rr_moved.
> >
> > Obviously I would like to delete /rr_moved but it is hidden from me. Is
> > there any way to do this?
> >
> > In the mean time I am continuing the backup on the assumption that I
> > might retrieve specific files without reconatiminating the system.
> >
> > The backup of /home was successful with the warning "missing whole name
> > for 'rr_moved'"
> >
> > Tom
>
> I assume that you've checked that chkrootkit didn't give you false
> positives. If you didn't, read this (and if you did, sorry):
>
> http://www.wiggy.net/debian/developer-securing/
>
> --
> ....................paul
>
> "The average lifespan of a Web page today is 100 days. This is no way to
> run a culture."
>
> Internet Archive Board Chairman
>
Thank you for the above link. I did get your response before deleting
anything and found I had encounterd a false positive.
I still must learn about the "/rr_moved" directory which blocks my
backups but this is a separate issue so I will post a separate question.
Tom
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: