Re: chkrootkit and lkm
On Tue, 2003-11-25 at 20:18, Johannes Graumann wrote:
[...]
> I was just running 'chkrootkit' and came across this warning:
>
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
[...]
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
Yes. Well, rather to do with how `ps' handles the processes in question.
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?
It's nothing at all to do with the compromise, and everything to do with
<URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525> (`ps shows
incorrect pid value') and
<URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278>
(`chkrootkit: doesn't work too well with kernel threads').
(FWIW, the bugs were filed 31 and 33 days ago, against procps and
chkrootkit respectively, and
<URL:http://bugs.debian.org/{procps,chkrootkit}> is currently
operational, although lacking a record of activity since late last
week.)
Your machine is behaving no more strangely than thousands of other
sarge/sid boxes. :-)
Adam
Reply to: