> And if so, what could make chkproc think, seeing something what is
> probably not there? Perhaps some kind of runtime failure in the C code?
Well, remember that you're running on a pre-emptivly scheduled system.
Processes can be created and destroyed during that code's running.
Although you didn't quite show enough to be sure that would cause it,
I'd be _very_ surprised if it wouldn't.
If you are worried, you'll need to shut down and boot off clean media
(e.g., rescue disk) and then run tripwire, chkrootkit, etc.
If you're really paranoid, you'll have to move the disk platters to
another disk, and put that in another machine ;-) [0]
Make sure you didn't forget to put a good part of /etc into tripwire
while you're at it. One of the problems with the boot scripts being
config files is that they go in /etc. Of course, on a really secure
server, nearly everything should be in tripwire.
[0] Even disks have EEPROM of some sort in them these days. Its possible
to re-write that EEPROM to do something nasty like only show the
trojaned sectors if the correct pattern of reads/writes shows up.
And, of course, BIOS's can be trojaned to do all sorts of things,
like load new microcode to the CPU.
Attachment:
signature.asc
Description: This is a digitally signed message part