Re: chkrootkit and lkm

To: debian-security@lists.debian.org
Subject: Re: chkrootkit and lkm
From: Andre Timmermann <_deblist.darktim@darktim.de>
Date: Wed, 26 Nov 2003 01:20:06 +0100
Message-id: <[🔎] 1069806005.2365.10.camel@pagan>
In-reply-to: <[🔎] 20031125121835.4f5f4a4f.graumann@its.caltech.edu>
References: <[🔎] 20031125121835.4f5f4a4f.graumann@its.caltech.edu>

Am Di, den 25.11.2003 schrieb Johannes Graumann um 21:18:

> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have     4 process hidden for ps command
> > Warning: Possible LKM Trojan installed

The same here (debian_sid):

root@host:~# chkrootkit lkm
ROOTDIR is `/'
Checking `lkm'... You have     5 process hidden for ps command
Warning: Possible LKM Trojan installed
root@host:~#

> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
> 
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?

I do not think that it is a problem due to the compromised servers,
because I noticed this on machines, which had been not updated since
these serverhacks. I think this is a bug in the chkrootkit-package,
although it has not been reported on the buglist.

But please be carefull, it is only my opinion, I will not guarantee that
the hack is not the cause of the problem ;)

Greetz,
Andre


-- 
BOFH-excuse of the day: Traceroute says that there is a routing problem
in the backbone. It's not our problem.

Reply to:

Follow-Ups:
- Re: chkrootkit and lkm
  - From: Werner Macho <werner.macho@boku.ac.at>

References:
- chkrootkit and lkm
  - From: Johannes Graumann <graumann@its.caltech.edu>

Prev by Date: communication structures crumbled
Next by Date: Re: chkrootkit and lkm
Previous by thread: Re: chkrootkit and lkm
Next by thread: Re: chkrootkit and lkm
Index(es):
- Date
- Thread