[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit...lkm trojan?... only from gnome

I ran "chkrootkit -x lkm" and I got the following output:

debian-dell:/home/gpierce# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 15705: not in readdir output
PID 15705: not in ps output
CWD 15705: /home/gpierce
EXE 15705: /usr/bin/nautilus
PID 15710: not in readdir output
PID 15710: not in ps output
CWD 15710: /home/gpierce
EXE 15710: /usr/lib/gnome-vfs2/gnome-vfs-daemon
PID 15752: not in readdir output
PID 15752: not in ps output
CWD 15752: /home/gpierce
EXE 15752: /usr/bin/nautilus
PID 15753: not in readdir output
PID 15753: not in ps output
CWD 15753: /home/gpierce
EXE 15753: /usr/bin/nautilus
PID 15754: not in readdir output
PID 15754: not in ps output
CWD 15754: /home/gpierce
EXE 15754: /usr/bin/nautilus
PID 15755: not in readdir output
PID 15755: not in ps output
CWD 15755: /home/gpierce
EXE 15755: /usr/bin/nautilus
PID 15756: not in readdir output
PID 15756: not in ps output
CWD 15756: /home/gpierce
EXE 15756: /usr/bin/nautilus
PID 15757: not in readdir output
PID 15757: not in ps output
CWD 15757: /home/gpierce
EXE 15757: /usr/bin/nautilus
PID 15758: not in readdir output
PID 15758: not in ps output
CWD 15758: /home/gpierce
EXE 15758: /usr/bin/nautilus
PID 15759: not in readdir output
PID 15759: not in ps output
CWD 15759: /home/gpierce
EXE 15759: /usr/bin/nautilus
PID 15760: not in readdir output
PID 15760: not in ps output
CWD 15760: /home/gpierce
EXE 15760: /usr/bin/nautilus
PID 15765: not in readdir output
PID 15765: not in ps output
CWD 15765: /home/gpierce
EXE 15765: /usr/lib/gnome-applets/gweather-applet-2
PID 15766: not in readdir output
PID 15766: not in ps output
CWD 15766: /home/gpierce
EXE 15766: /usr/lib/gnome-applets/gweather-applet-2
PID 17076: not in readdir output
PID 17076: not in ps output
CWD 17076: /home/gpierce
EXE 17076: /usr/lib/gnome-applets/gweather-applet-2
PID 17866: not in readdir output
PID 17866: not in ps output
CWD 17866: /home/gpierce
EXE 17866: /usr/bin/evolution-1.4
PID 17867: not in readdir output
PID 17867: not in ps output
CWD 17867: /home/gpierce
EXE 17867: /usr/bin/evolution-1.4
PID 17868: not in readdir output
PID 17868: not in ps output
CWD 17868: /home/gpierce
EXE 17868: /usr/bin/evolution-1.4
PID 17869: not in readdir output
PID 17869: not in ps output
CWD 17869: /home/gpierce
EXE 17869: /usr/bin/evolution-1.4
PID 17870: not in readdir output
PID 17870: not in ps output
CWD 17870: /home/gpierce
EXE 17870: /usr/bin/evolution-1.4
PID 17922: not in readdir output
PID 17922: not in ps output
CWD 17922: /home/gpierce
EXE 17922: /usr/lib/mozilla-firefox/firefox-bin
PID 17924: not in readdir output
PID 17924: not in ps output
CWD 17924: /home/gpierce
EXE 17924: /usr/lib/mozilla-firefox/firefox-bin
PID 17927: not in readdir output
PID 17927: not in ps output
CWD 17927: /home/gpierce
EXE 17927: /usr/lib/mozilla-firefox/firefox-bin
PID 17928: not in readdir output
PID 17928: not in ps output
CWD 17928: /home/gpierce
EXE 17928: /usr/lib/mozilla-firefox/firefox-bin
PID 17933: not in readdir output
PID 17933: not in ps output
CWD 17933: /home/gpierce
EXE 17933: /usr/bin/gnome-terminal
PID 17936: not in readdir output
PID 17936: not in ps output
CWD 17936: /home/gpierce
EXE 17936: /usr/lib/mozilla-firefox/firefox-bin
You have    25 process hidden for readdir command
You have    25 process hidden for ps command


It all looks benign to me but why would so processes be running and
hidden  to ps?

Greg
Reply to: