Re: chkrootkit and lkm

To: Johannes Graumann <graumann@its.caltech.edu>
Cc: debian-security@lists.debian.org
Subject: Re: chkrootkit and lkm
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Wed, 26 Nov 2003 00:30:44 +0100
Message-id: <[🔎] 20031125233044.GA11696@dat.etsit.upm.es>
In-reply-to: <[🔎] 20031125121835.4f5f4a4f.graumann@its.caltech.edu>
References: <[🔎] 20031125121835.4f5f4a4f.graumann@its.caltech.edu>

On Tue, Nov 25, 2003 at 12:18:35PM -0800, Johannes Graumann wrote:
> Hello,
> 
> This is a testing/unstable system.
> 
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have     4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
(...)
> 
> Any comment is highly appreciated.

This is known bug in chkrootkit, it does not understand processes with pid 
'0' (kernel threads) which are not listed under /proc and emits this 
"alert".

As a matter of fact it was reported previous to the compromise. Please
check the following bugs for more information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278

HTH

Javi

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- chkrootkit and lkm
  - From: Johannes Graumann <graumann@its.caltech.edu>

Prev by Date: Re: Debian servers "hacked"?
Next by Date: Re: chkrootkit and lkm
Previous by thread: chkrootkit and lkm
Next by thread: Re: chkrootkit and lkm
Index(es):
- Date
- Thread