Re: chkrootkit hidden processes possible LKM Trojan.

To: debian-user@lists.debian.org
Subject: Re: chkrootkit hidden processes possible LKM Trojan.
From: Wackojacko <wackojacko32@ntlworld.com>
Date: Thu, 21 Aug 2008 20:32:08 +0100
Message-id: <[🔎] 48ADC2B8.9080105@ntlworld.com>
In-reply-to: <[🔎] 48ABE8F5.4040801@cyberspaceroad.com>
References: <[🔎] 48A6B752.4030505@ntlworld.com> <[🔎] 48A6BDAA.8010503@cox.net> <[🔎] 48A6C1ED.3050503@ntlworld.com> <[🔎] 48ABE8F5.4040801@cyberspaceroad.com>

Adam Hardy wrote:

However, using

#chkrootkit -x lkm

and

#/usr/lib/chkrootkit/chkproc -v -v
Wacko,
you haven't got a script that does that have you? (Identifying theprocess that is hidden from /proc/PID?) Seems a bit laborious doing itmanually more than once.
Adam

As per my original mail above, these two commands will show you thehidden processes.

First one asks chkrootkit why it thinks there is an LKM Trojan on thesystem.

Second one is the helper script run by chkrootkit that lists the hiddenprocesses but can be run directly.

I am still seeing output from these commands, but the daily chkrootkitemail warning of LKM Trojan has now disappeared!!


HTH

Wackojacko

Reply to:

Follow-Ups:
- Re: chkrootkit hidden processes possible LKM Trojan.
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>

References:
- chkrootkit hidden processes possible LKM Trojan.
  - From: Wackojacko <wackojacko32@ntlworld.com>
- Re: chkrootkit hidden processes possible LKM Trojan.
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: chkrootkit hidden processes possible LKM Trojan.
  - From: Wackojacko <wackojacko32@ntlworld.com>
- Re: chkrootkit hidden processes possible LKM Trojan.
  - From: Adam Hardy <adam.ant@cyberspaceroad.com>

Prev by Date: Re: compatibility
Next by Date: Re: compatibility
Previous by thread: Re: chkrootkit hidden processes possible LKM Trojan.
Next by thread: Re: chkrootkit hidden processes possible LKM Trojan.
Index(es):
- Date
- Thread