Re: chkrootkit

["Felix C. Stegerman" <quix@free.fr>]

Micha Feigin wrote:
> On Wed, Jan 21, 2004 at 05:09:08PM -0700, Nate Duehr wrote:
>
> > On Wednesday, Jan 21, 2004, at 16:38 America/Denver, David Sanders 
> > wrote:
> >
> > > I just ran chkrootkit for the first time on a woody machine and got:
> > >
> > > Checking `lkm'... You have     1 process hidden for ps command
> > > Warning: Possible LKM Trojan installed
<snip>
> > > What are these warnings and what should I do?
> >
> > Of course you should take any and all warnings seriously until proven 
> > otherwise, but I remember seeing that exact warning from a fairly 
> > recently built box with a fairly new kernel on it and then doing some 
> > Google searching and finding out that most modern kernels will false a 
> > few warnings like that LKM Trojan warning because of some setting I 
> > don't quite remember right now.
>
> Some of the kernel thread used to show up in ps as pid 0 but they are
> actually some higher pid and thus their actual pid doesn't show up in
> ps. Thats what used to cause the problem. It currently doesn't show
> that on my system, don't know when it was changed.
>
> Check the archives, there were several threads on the subject. Don't
> remember the command but there was one of the commands I think under
> /usr/lib/chkrootkit that showed which processes it thinks are
> lkm. Maybe someone else can help.
<snip>

# chkrootkit -x lkm

Regards,


Felix

--
Felix Stegerman

the QuiX project - Open Source software
E-Mail: quix@free.fr
Web:    http://www.quix.tk/