Re: chkrootkit...lkm trojan?... only from gnome
On Mon, 16 Aug 2004, Gregory Pierce wrote:
> In running chkrootkit (version 0.43) tonight I got the following
> warning:
>
> Checking `lkm'... You have 16 process hidden for readdir command
> You have 16 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> But when I run chkrootkit from KDE it comes up clean. Can I really be
> compromised and chkrootkit detect a trojan from within gnome but not
> when I am running from KDE?
>
> I am not at all sure what to do from here. Should I just start from
> scratch and re-install everything?
Don't re-install just yet. It is very unlikely that you've been trojanned
(is that a word?). The lkm test is quite susceptible to false positives;
that is most likely what you're seeing.
For example, just switching from kernel 2.4.x to 2.6.7 caused chkrootkit to
start reporting 17+ 'hidden processes' and a possible LKM Trojan on my
machines. (Someone else reported this case to the BTS: bug=260905.)
/usr/share/doc/chkrootkit/README.Debian discusses a few other false
positive situations.
I presume that gnome runs some background processes (or perhaps uses a
threading model?) that KDE doesn't, and that is triggering the LKM test.
So, you're probably fine, but keep an eye out for bogus activity on your
machine (ie. normal sys-admin mode).
-- Brad
--
Brad Sawatzky <bds9e@virginia.edu>
University of Virginia Physics Department
Ph: (434) 924-6580 Fax: (434) 924-7909
Reply to: