[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

chkrootkit detects hidden processes in mozilla-firefox and xmms

I'm not entirely sure whether this is normal behavior, a symptom of possible
badness, or simple user error.  I'm a bit worried it might mean my system
has been compromised.  Any help or explanation would be greatly appreciated.


When I run chkrootkit (0.43-1), I get nothing unusual other than the
lines:

Checking `lkm'... You have     4 process hidden for readdir command
You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed

When I investigate further by running chkproc -v -v I get:

PID  4118: not in readdir output
PID  4118: not in ps output
CWD  4118: /home/rick
EXE  4118: /usr/lib/mozilla-firefox/firefox-bin
PID  4120: not in readdir output
PID  4120: not in ps output
CWD  4120: /home/rick
EXE  4120: /usr/lib/mozilla-firefox/firefox-bin
PID  4128: not in readdir output
PID  4128: not in ps output
CWD  4128: /home/rick
EXE  4128: /usr/bin/xmms
PID  4129: not in readdir output
PID  4129: not in ps output
CWD  4129: /home/rick
EXE  4129: /usr/bin/xmms
You have     4 process hidden for readdir command
You have     4 process hidden for ps command

I'm using xmms 1.2.10-1, mozilla-firefox 0.8-3, and chkrootkit 0.43-1 ,
all gotten from ftp.us.debian.org through apt-get.  If I exit firefox and
xmms, chkrootkit doesn't have a problem any longer, so I don't think it's
another program pretending to have a false name.
Reply to: