chkrootkir LKM Trojan ?
Dave S
ubuntu at pusspaws.net
Mon Jul 17 18:44:54 UTC 2006
On Sunday 16 July 2006 23:47, Varga Levente wrote:
> >Dave S wrote:
> >
> > I just had an email from chkrootkit last night -
> >
> > ---
> >
> > The following suspicious files and directories were found:
> >
> > You have 3 process hidden for readdir command
> > You have 3 process hidden for ps command
> > chkproc: Warning: Possible LKM Trojan installed
> >
> > ---
> >
> > Running chkrootkit now and all is OK
> >
> > I have exactly the same issue.
> >
> > (a) I have a trojan, seems unlikely I am behind a netgear router
>
> firewall
>
> > NAT with no incoming ports open. Running nothing more than samba, ssh
>
> and
>
> > unison on the local network though I have to admit I have not hardened
>
> my
>
> > system.
> >
> > (b) Its a false alarm - it is called by /etc/cron.daily so a lot of
> > different scripts are called at the same time - though I have no idea
>
> what
>
> > could have caused it.
> >
> > Yep, those would be the possibilities :-) I don't know. I think
>
> it's (b),
>
> > but I'm uncertain. chkrootkit is remarkably unhelpful about its
>
> warnings -
>
> > what does it mean that processes are "hidden"? How does it attempt to
> > recognize packet sniffers? It routinely reports dhclient!
>
> Try rkhunter and see!
Tried it - rkhunter says everything is OK ...mmm... erring to false +ve (Mops
sweat from brow !)
Dave
>
> Levi
More information about the ubuntu-users
mailing list