Re: Chkrootkit - true/false ?

[abo@minkirri.apana.org.au (Donovan Baarda)]

On Sat, May 22, 2004 at 10:03:37AM +0800, Jason Lim wrote:
> > > Checking `lkm'... You have     3 process hidden for readdir command
> > > You have     3 process hidden for ps command
> > > Warning: Possible LKM Trojan installed
> > >
> > > Sometimes chkrootkit returns nothing detected and every time rkhunter
> > > tells me nothing is wrong. Is this a false positive with chkrootkit
> and
> > > debian woody?

chkrootkit on nearly anything occasionally gives this false positive.
I believe it is something to do with normal processes terminating or
spawning at the time chkrootkit is looking for hidden processes. Hence
the word "Possible" in its report.

If you run chkrootkit again, you will probably not see the message
again. If you repeatedly see that message every time you run
chkrootkit, then you can start panicing.

----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------