chkrootkit and lkm

To: debian-security@lists.debian.org
Subject: chkrootkit and lkm
From: Johannes Graumann <graumann@its.caltech.edu>
Date: Tue, 25 Nov 2003 12:18:35 -0800
Message-id: <[🔎] 20031125121835.4f5f4a4f.graumann@its.caltech.edu>

Hello,

This is a testing/unstable system.

I was just running 'chkrootkit' and came across this warning:

> Checking `lkm'... You have     4 process hidden for ps command
> Warning: Possible LKM Trojan installed

I did some reading and made sure the number is not changing (due to
running 'chkrootkit' while new processes are started and /proc and 'ps'
are not syncronized) - it remains 4.
I then went ahead and manually checked the output of 'ls -a /proc'
against that of 'ps -A' and found out, that there are 4 processes in
/proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
in existence that show a PID of 0.
Am I right to assume that this is not the lkm kit, but rather some
weiredness in PID assignment?

The same PID thing is happening on my testing/unstable laptop -
compromised as well or something else amiss in the distro, maybe related
to the server break ins?

Any comment is highly appreciated.

Joh

Reply to:

Follow-Ups:
- Re: chkrootkit and lkm
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: chkrootkit and lkm
  - From: "Adam D. Barratt" <debian-security@adam-barratt.org.uk>
- Re: chkrootkit and lkm
  - From: Adam Heath <doogie@debian.org>
- Re: chkrootkit and lkm
  - From: Johannes Graumann <graumann@its.caltech.edu>
- Re: chkrootkit and lkm
  - From: Andre Timmermann <_deblist.darktim@darktim.de>
- Re: chkrootkit and lkm
  - From: Bernd Eckenfels <ecki@calista.eckenfels.6bone.ka-ip.net>

Prev by Date: Re: More hacked servers?
Next by Date: Re: How efficient is mounting /usr ro?
Previous by thread: Re: Fwd: Cron <root@mars> apt-get update && apt-get -y upgrade
Next by thread: Re: chkrootkit and lkm
Index(es):
- Date
- Thread