chkrootkit hidden processes possible LKM Trojan.

To: d-u <debian-user@lists.debian.org>
Subject: chkrootkit hidden processes possible LKM Trojan.
From: Wackojacko <wackojacko32@ntlworld.com>
Date: Sat, 16 Aug 2008 12:17:38 +0100
Message-id: <[🔎] 48A6B752.4030505@ntlworld.com>

Hi all

I realise there has been some discussion recently over the merits orotherwise of chkrootkit, but the last two days it is warning of hiddenprocesses (ps and readdir).

After googling a little further I see this has been a problem in thepast but was unable to find any recent examples.


However, using

#chkrootkit -x lkm

and

#chkproc -v -v

and comparing these to the output of ps and ls /proc I have determinedthat there are processes which do not show up on /proc or ps but I amstill able to


#cd /proc/PID

for these processes and then

#cat cmdline

to find out what service is hidden.

The results suggest that icedove-bin and nepomukerserver are the mainculprits, but I want to know why!!

I do not have any services running on external ports as I am behind anetgear router and have confirmed this via various external port scansites. I do run smb, imap (dovecot), postfix, cups and apt-cacher(perl) locally for my internal network.


Am I really rooted?  Anyone else seeing something similar?

TIA

Wackojacko

Reply to:

Follow-Ups:
- Re: chkrootkit hidden processes possible LKM Trojan.
  - From: Ron Johnson <ron.l.johnson@cox.net>

Prev by Date: Pendrive not mounted when another usb device is plugged in
Next by Date: Re: Pendrive not mounted when another usb device is plugged in
Previous by thread: Re: Disk-like interface in umts modem
Next by thread: Re: chkrootkit hidden processes possible LKM Trojan.
Index(es):
- Date
- Thread