Re: chkrootkit hidden processes possible LKM Trojan.
Ron Johnson wrote:
On 08/16/08 06:17, Wackojacko wrote:
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).
After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.
#chkrootkit -x lkm
#chkproc -v -v
and comparing these to the output of ps and ls /proc I have determined
that there are processes which do not show up on /proc or ps but I am
still able to
for these processes and then
to find out what service is hidden.
The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!
I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.
Am I really rooted? Anyone else seeing something similar?
Is this your personal workstation?
How is it connected to the Intarweb? Directly, or behind a NATing
If directly, how many services do you have listening to ports? Get a
friend to nmap you.
If this is your PC, and are behind a hardware firewall, I seriously
doubt that you are compromised.
Yeah this is my thinking. It is my personal workstation and I only have
the services I listed above listening on the local network. I am
behind a Netgear Router and external port scans show zilch!
Forgot to mention I am running Sid AMD64 with homerolled 2.6.25 Kernel.
Rkhunter shows nothing but they means nothing if the system is
I suppose the next question is why are these services hiding from me?