[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LKM

On Monday, 2004-01-26 at 21:38:54 +0100, Yannick Roehlly wrote:
> Thiago Ribeiro <offs@fatea.br> writes:

> > Hi, When I run tiger, I got a follow error: NEW: --WARN--
> > [rootkit004f] Chkrootkit has detected a possible rootkit installation
> > NEW: Warning: Possible LKM Trojan installed But I alredy list my
> > proccess and did find nothing...  What's can be this?

> Are you runing nautilus?

> Apparently, some of the nautilus processes are hidden (I don't know why)
> and thus make chkrootkit complain about possible LKM infection.

> Try a: $ chkrootkit -x lkm

chkrootkit has an impedance mismatch with ps. This has been discussed
before.

antalya:~# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID     3: not in ps output
CWD     3: /
EXE     3: /
PID     4: not in ps output
CWD     4: /
EXE     4: /
PID     5: not in ps output
CWD     5: /
EXE     5: /
PID     6: not in ps output
CWD     6: /
EXE     6: /
You have     4 process hidden for ps command

ps -ef lists these:

root         0     1  0 Jan19 ?        00:00:00 [ksoftirqd_CPU0]
root         0     1  0 Jan19 ?        00:03:40 [kswapd]
root         0     1  0 Jan19 ?        00:00:00 [bdflush]
root         0     1  0 Jan19 ?        00:00:06 [kupdated]

So ps does not give chkrootkit a PID, but /proc has those processes.

Lupe Christoph
-- 
| lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze                         |
| "Thief of Time", Terry Pratchett                                       |
Reply to: