On 08/16/08 06:17, Wackojacko wrote:
Hi all
I realise there has been some discussion recently over the merits or
otherwise of chkrootkit, but the last two days it is warning of hidden
processes (ps and readdir).
After googling a little further I see this has been a problem in the
past but was unable to find any recent examples.
However, using
#chkrootkit -x lkm
and
#chkproc -v -v
and comparing these to the output of ps and ls /proc I have determined
that there are processes which do not show up on /proc or ps but I am
still able to
#cd /proc/PID
for these processes and then
#cat cmdline
to find out what service is hidden.
The results suggest that icedove-bin and nepomukerserver are the main
culprits, but I want to know why!!
I do not have any services running on external ports as I am behind a
netgear router and have confirmed this via various external port scan
sites. I do run smb, imap (dovecot), postfix, cups and apt-cacher
(perl) locally for my internal network.
Am I really rooted? Anyone else seeing something similar?
Is this your personal workstation?
How is it connected to the Intarweb? Directly, or behind a NATing
firewalling router?
If directly, how many services do you have listening to ports? Get a
friend to nmap you.
If this is your PC, and are behind a hardware firewall, I seriously
doubt that you are compromised.