chkrootkir LKM Trojan ?
Derek Broughton
news at pointerstop.ca
Sun Jul 16 15:50:47 UTC 2006
Dave S wrote:
> I just had an email from chkrootkit last night -
>
> ---
>
> The following suspicious files and directories were found:
>
> You have 3 process hidden for readdir command
> You have 3 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
>
> ---
>
> Running chkrootkit now and all is OK
I have exactly the same issue.
>
> (a) I have a trojan, seems unlikely I am behind a netgear router firewall
> NAT with no incoming ports open. Running nothing more than samba, ssh and
> unison on the local network though I have to admit I have not hardened my
> system.
>
> (b) Its a false alarm - it is called by /etc/cron.daily so a lot of
> different scripts are called at the same time - though I have no idea what
> could have caused it.
Yep, those would be the possibilities :-) I don't know. I think it's (b),
but I'm uncertain. chkrootkit is remarkably unhelpful about its warnings -
what does it mean that processes are "hidden"? How does it attempt to
recognize packet sniffers? It routinely reports dhclient!
--
derek
More information about the ubuntu-users
mailing list