Re: chkrootkit: false positive? LKM

To: debian-user-german@lists.debian.org
Subject: Re: chkrootkit: false positive? LKM
From: Manfred Sindhoff <m.sindhoff@gmx.net>
Date: Sat, 22 May 2004 22:52:01 +0200
Message-id: <[🔎] 40AFBD71.4090903@gmx.net>
In-reply-to: <[🔎] 200405201636.03148.ggrubbish@web.de>
References: <[🔎] 200405201636.03148.ggrubbish@web.de>

Gerhard Gaussling wrote:

Hallo Liste,

ich habe hier folgendes:

chkrootkit:

Checking `lkm'... You have     9 process hidden for readdir command
You have     9 process hidden for ps command
Warning: Possible LKM Trojan installed

[...]


Muß ich mir Sorgen machen?

ciao

Gerhard


Hallo Gerhard,

bei mir sind es sogar 39 Prozesse und seit ich diese Email mit Mozillaschreibe sogar 40. Denke aber (auf Holz klopfend), daß es sich um falsepositives handelt, da chkrootkit Programm-Threads nicht erkennt, die abKernel 2.6, bzw. 2.4 mit Patch, möglich sind.

"The lkm check is known to produce false positives for NPTL kernels (2.6kernels or 2.4 with NPTL patches). Common multithreaded programs whichwill show this behaviour are slapd, mozilla and apache2 if you use oneof its threading MPMs."

(http://www.wiggy.net/debian/developer-securing/)

Gruß,

Manfred

Reply to:

Follow-Ups:
- Re: chkrootkit: false positive? LKM
  - From: Gerhard Gaussling <ggrubbish@web.de>

References:
- chkrootkit: false positive? LKM
  - From: Gerhard Gaussling <ggrubbish@web.de>

Prev by Date: Re: Debian abspecken fuer USB-Stick
Next by Date: Re: [kernelsourcen] 2.4.18bf24
Previous by thread: chkrootkit: false positive? LKM
Next by thread: Re: chkrootkit: false positive? LKM
Index(es):
- Date
- Thread