Re: Possible LKM Trojan , Need Help

To: debian-user@lists.debian.org
Subject: Re: Possible LKM Trojan , Need Help
From: Paul Morgan <paulswm@earthlink.net>
Date: Sat, 29 Nov 2003 10:58:31 -0500
Message-id: <[🔎] pan.2003.11.29.15.58.26.828823@earthlink.net>
References: <[🔎] 3FC879BB.6010007@spininternet.com>

On Sat, 29 Nov 2003 05:49:31 -0500, Thomas H. George wrote:

> chkrootkit reported possible LKM Trojan.  4 processes hidden for ps command.
> 
> Before reformating the hard drive and reinstalling Debian, started a dvd 
> backup using growisofs.
> The backup of /usr was successful, backup of /var failed with duplicate 
> names in /rr_moved.
> 
> Obviously I would like to delete /rr_moved but it is hidden from me.  Is 
> there any way to do this?
> 
> In the mean time I am continuing the backup on the assumption that I 
> might retrieve specific files without reconatiminating the system.
> 
> The backup of /home was successful with the warning "missing whole name 
> for 'rr_moved'"
> 
> Tom

I assume that you've checked that chkrootkit didn't give you false
positives.  If you didn't, read this (and if you did, sorry):

http://www.wiggy.net/debian/developer-securing/

-- 
....................paul

"The average lifespan of a Web page today is 100 days. This is no way to
run a culture."

Internet Archive Board Chairman

Reply to:

Follow-Ups:
- Re: Possible LKM Trojan , Need Help - Thank You
  - From: "Thomas H. George" <tom@spininternet.com>

References:
- Possible LKM Trojan , Need Help
  - From: "Thomas H. George" <xyz@spininternet.com>

Prev by Date: Re: How to get away with small /var partition
Next by Date: Re: Possible LKM Trojan , Need Help
Previous by thread: Re: Possible LKM Trojan , Need Help
Next by thread: Re: Possible LKM Trojan , Need Help - Thank You
Index(es):
- Date
- Thread