LKM?
Running Debian Sid.
chkrootkit-0.42b reports:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
There are four PID which report as '0'
lappy:~$ ps ax
PID TTY STAT TIME COMMAND
1 ? S 0:04 init [2]
2 ? SW 0:00 [keventd]
3 ? SW 0:00 [kapmd]
0 ? SWN 0:00 [ksoftirqd_CPU0]
0 ? SW 0:00 [kswapd]
0 ? SW 0:00 [bdflush]
0 ? SW 0:00 [kupdated]
/proc/ shows the following processes: 4, 5, 6, and 7 which appear to be
the ones showing up as '0'.
lappy:/proc/4$ ls -al
ls: cannot read symbolic link cwd: Permission denied
ls: cannot read symbolic link root: Permission denied
ls: cannot read symbolic link exe: Permission denied
total 0
dr-xr-xr-x 3 root root 0 2003-11-28 11:01 ./
dr-xr-xr-x 75 root root 0 2003-11-28 10:13 ../
-r--r--r-- 1 root root 0 2003-11-28 11:02 cmdline
lrwxrwxrwx 1 root root 0 2003-11-28 11:02 cwd
-r-------- 1 root root 0 2003-11-28 11:02 environ
lrwxrwxrwx 1 root root 0 2003-11-28 11:02 exe
dr-x------ 2 root root 0 2003-11-28 11:02 fd/
-r--r--r-- 1 root root 0 2003-11-28 11:02 maps
-rw------- 1 root root 0 2003-11-28 11:02 mem
-r--r--r-- 1 root root 0 2003-11-28 11:02 mounts
lrwxrwxrwx 1 root root 0 2003-11-28 11:02 root
-r--r--r-- 1 root root 0 2003-11-28 11:02 stat
-r--r--r-- 1 root root 0 2003-11-28 11:02 statm
-r--r--r-- 1 root root 0 2003-11-28 11:02 status
The links cwd, root, and exe appear to be broken.
Is this a problem? Or is this normal for SID. Maybe Devfs related?
Thoughts and suggestions would be helpful. Thanks.
Kevin C. Smith
Reply to:
- Follow-Ups:
- Re: LKM?
- From: Tom <tb.31123.nospam@comcast.net>
- Re: LKM?
- From: Richard Kimber <rkimber@ntlworld.com>