Re: chkrootkit and linux 2.6

To: Paul Norris <paul@sanjuro.org>
Cc: debian-security@lists.debian.org
Subject: Re: chkrootkit and linux 2.6
From: Miek Gieben <miekg@atoom.net>
Date: Thu, 4 Dec 2003 07:48:23 +0100
Message-id: <[🔎] 20031204064823.GA21252@atoom.net>
In-reply-to: <[🔎] 1070519072.785.4.camel@localhost>
References: <[🔎] 20031202173231.GA11329@atoom.net> <[🔎] 1070519072.785.4.camel@localhost>

[On 04 Dec, @07:24, Paul wrote in "Re: chkrootkit and linux 2.6 ..."]
>    I see this same behavior with 2.6.0-test8.  Chkrookit comes up with 42
>    processes possibly caused by LKM rootkit.  I would have 69 processes
>    running with 42 of them owned by root.  When I boot back to 2.4.23, it
>    comes up with the 4 mentioned in the bug.  I'm no Linux master by any
>    means, but I'm just guessing that being owned by root is the kicker in
>    this instance.  Either that, or I'm screwed ;)

a 'chkrootkit -x lkm' was helpfull for me in this case - looks like the
lkm test is fooled by threaded applications: xmms, named, etc...

On my laptop killing X was enough the shut chkrootkit up:
with X: 2 hidden processes
without: none

grtz Miek

Reply to:

References:
- chkrootkit and linux 2.6
  - From: Miek Gieben <miekg@atoom.net>
- Re: chkrootkit and linux 2.6
  - From: Paul Norris <paul@sanjuro.org>

Prev by Date: Re: chkrootkit and linux 2.6
Next by Date: some questions about suckit
Previous by thread: Re: chkrootkit and linux 2.6
Next by thread: do_brk-bug internals?
Index(es):
- Date
- Thread