[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Chkrootkit - true/false ?

Donovan Baarda wrote:
On Sat, May 22, 2004 at 10:03:37AM +0800, Jason Lim wrote:

Checking `lkm'... You have     3 process hidden for readdir command
You have     3 process hidden for ps command
Warning: Possible LKM Trojan installed
If you run chkrootkit again, you will probably not see the message
again. If you repeatedly see that message every time you run
chkrootkit, then you can start panicing.

This is a known bug in ps command of debian. I don't know if the sid version is updated by now, but this particular lkm - 3 process problem *will* occur again. chkrootkit gives often false positives, but this is no reason not look for a trojan. read the perl code to see what it checks. it's quite simple, it checks the existence of certain hidden directories, files or processes. try to invstigate, why they exist on your machine.


Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331


Reply to: