Re: chkrootkit
On Thursday 22 January 2004 05:05 pm, Felix C. Stegerman wrote:
> Micha Feigin wrote:
> > On Wed, Jan 21, 2004 at 05:09:08PM -0700, Nate Duehr wrote:
> >>On Wednesday, Jan 21, 2004, at 16:38 America/Denver, David Sanders
> >>
> >>wrote:
> >>>I just ran chkrootkit for the first time on a woody machine and
> >>> got:
> >>>
> >>>Checking `lkm'... You have 1 process hidden for ps command
> >>>Warning: Possible LKM Trojan installed
>
> <snip>
>
> >>>What are these warnings and what should I do?
> >>
> >>Of course you should take any and all warnings seriously until
> >> proven otherwise, but I remember seeing that exact warning from a
> >> fairly recently built box with a fairly new kernel on it and then
> >> doing some Google searching and finding out that most modern
> >> kernels will false a few warnings like that LKM Trojan warning
> >> because of some setting I don't quite remember right now.
> >
> > Some of the kernel thread used to show up in ps as pid 0 but they
> > are actually some higher pid and thus their actual pid doesn't show
> > up in ps. Thats what used to cause the problem. It currently
> > doesn't show that on my system, don't know when it was changed.
> >
> > Check the archives, there were several threads on the subject.
> > Don't remember the command but there was one of the commands I
> > think under /usr/lib/chkrootkit that showed which processes it
> > thinks are lkm. Maybe someone else can help.
>
> <snip>
>
> # chkrootkit -x lkm
>
> Regards,
>
>
> Felix
I upgraded to version 0.43 of chkrootkit and the LKM hit went away,
now I am getting:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient-2.2.x)
Is this a problem?
--
David Sanders
debian@sandersweb.net
Reply to: