Re: chkrootkit and lkm
Am Di, den 25.11.2003 schrieb Johannes Graumann um 21:18:
> I was just running 'chkrootkit' and came across this warning:
>
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
The same here (debian_sid):
root@host:~# chkrootkit lkm
ROOTDIR is `/'
Checking `lkm'... You have 5 process hidden for ps command
Warning: Possible LKM Trojan installed
root@host:~#
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
>
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?
I do not think that it is a problem due to the compromised servers,
because I noticed this on machines, which had been not updated since
these serverhacks. I think this is a bug in the chkrootkit-package,
although it has not been reported on the buglist.
But please be carefull, it is only my opinion, I will not guarantee that
the hack is not the cause of the problem ;)
Greetz,
Andre
--
BOFH-excuse of the day: Traceroute says that there is a routing problem
in the backbone. It's not our problem.
Reply to: