This one time, at band camp, alex said: > Okay, another question about chkrootkit: > Has anyone ever found a false positive with it? > > It tells me i might have a LKM rootkit on a heavily loaded box. I find > that hard to believe since i wouldve seen a many boxes coming down > before this one. I get that one fairly frequently. There is a race condition in the LKM test, where it first takes the output of ps, and then compares it to readdir. It also (in the past, I haven't looked recently) handled threaded apps badly, and declared processes with multiple LWP ids to be seperate pids, hidden from ps. There are also several port based tests that break with various IDS software. I think either README or README.Debian has some discussion of these issues. Take care, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature