Re: chkrootkit and lkm
Thanks to everybody who was taking the time to sooth the novice ... ;0)
Joh
On Tue, 25 Nov 2003 12:18:35 -0800
Johannes Graumann <graumann@its.caltech.edu> wrote:
> Hello,
>
> This is a testing/unstable system.
>
> I was just running 'chkrootkit' and came across this warning:
>
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
>
> I did some reading and made sure the number is not changing (due to
> running 'chkrootkit' while new processes are started and /proc and
> 'ps' are not syncronized) - it remains 4.
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
>
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe
> related to the server break ins?
>
> Any comment is highly appreciated.
>
> Joh
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: