[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit and lkm

On Tue, 25 Nov 2003, Johannes Graumann wrote:

> Hello,
> This is a testing/unstable system.
> I was just running 'chkrootkit' and came across this warning:
> > Checking `lkm'... You have     4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> I did some reading and made sure the number is not changing (due to
> running 'chkrootkit' while new processes are started and /proc and 'ps'
> are not syncronized) - it remains 4.
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?

Are you running 2.6, or the backported TLS patches on 2.4?

Reply to: