chkrootkir LKM Trojan ?
Varga Levente
vlzoltan at gmail.com
Sun Jul 16 22:47:09 UTC 2006
>Dave S wrote:
> I just had an email from chkrootkit last night -
>
> ---
>
> The following suspicious files and directories were found:
>
> You have 3 process hidden for readdir command
> You have 3 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
>
> ---
>
> Running chkrootkit now and all is OK
> I have exactly the same issue.
>
> (a) I have a trojan, seems unlikely I am behind a netgear router
firewall
> NAT with no incoming ports open. Running nothing more than samba, ssh
and
> unison on the local network though I have to admit I have not hardened
my
> system.
>
> (b) Its a false alarm - it is called by /etc/cron.daily so a lot of
> different scripts are called at the same time - though I have no idea
what
> could have caused it.
> Yep, those would be the possibilities :-) I don't know. I think
it's (b),
> but I'm uncertain. chkrootkit is remarkably unhelpful about its
warnings -
> what does it mean that processes are "hidden"? How does it attempt to
> recognize packet sniffers? It routinely reports dhclient!
Try rkhunter and see!
Levi
More information about the ubuntu-users
mailing list