chkrootkit detects hidden processes in mozilla-firefox and xmms
I'm not entirely sure whether this is normal behavior, a symptom of possible
badness, or simple user error. I'm a bit worried it might mean my system
has been compromised. Any help or explanation would be greatly appreciated.
When I run chkrootkit (0.43-1), I get nothing unusual other than the
lines:
Checking `lkm'... You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
When I investigate further by running chkproc -v -v I get:
PID 4118: not in readdir output
PID 4118: not in ps output
CWD 4118: /home/rick
EXE 4118: /usr/lib/mozilla-firefox/firefox-bin
PID 4120: not in readdir output
PID 4120: not in ps output
CWD 4120: /home/rick
EXE 4120: /usr/lib/mozilla-firefox/firefox-bin
PID 4128: not in readdir output
PID 4128: not in ps output
CWD 4128: /home/rick
EXE 4128: /usr/bin/xmms
PID 4129: not in readdir output
PID 4129: not in ps output
CWD 4129: /home/rick
EXE 4129: /usr/bin/xmms
You have 4 process hidden for readdir command
You have 4 process hidden for ps command
I'm using xmms 1.2.10-1, mozilla-firefox 0.8-3, and chkrootkit 0.43-1 ,
all gotten from ftp.us.debian.org through apt-get. If I exit firefox and
xmms, chkrootkit doesn't have a problem any longer, so I don't think it's
another program pretending to have a false name.
Reply to: