[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Virus and file /proc/kcore



On  0, Paul Johnson <baloo@ursine.dyndns.org> wrote:
> Hash: SHA1
> 
> (Please turn on your line wraps to something around 72 columns)
> On Sat, Aug 10, 2002 at 08:56:03AM -0400, colemw@cox.net wrote:
> 
> > I did a virus scan with clamscan and then f-prot.  Clamscan notified
> >  me of one virus: V801 in file /proc/kcore.  Going to this file it is
> >  VERY large (in fact takes up the majority of my partition).  I can't
> >  seem to rm or shred this file.  f-prot called it a W32 virus?  But
> >  neither application will remove the file.  It has permissions set at
> >  '-r--------' with owners root.root.  What does this file do?  Is
> >  there any way to get rid of the virus without wiping the partition
> >  which is /?  Let me know if you need more info.
> 
> My guess is this is the kernel core.  Don't worry too much about
> anything in /proc, it's a virtual filesystem containing information
> about what's going on, and does not take up disk space.  I'm going to
> hazard to guess your virus scanner saw itself when it scanned /proc.
> 
> Be aware there are a total of five viruses for Unix, three of those
> for Linux specifically, and those three target long-since-outdated
> versions of Red Hat.

Possibly you should figure out how to tell your virus scanner not to
scan /proc.

Tom
-- 
Tom Cook
Information Technology Services, The University of Adelaide

"Beware of computer programmers that carry screwdrivers."
	- Leonard Brandwein

Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au

Attachment: pgpmgEWXsRoqx.pgp
Description: PGP signature


Reply to: