Hi Kelly, > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > Can somebody tell me if i've been hacked and if so, what must i do. > Thank you, all help is greatly appreciated.
The hidden process check in chkrootkit can and will sometimes report hidden processes when there are none. Please be aware of these *false* alarms which will happen mostly when you're running many dynamic processes. Like Apache, MySQL or ASP. Why does it happen? Chkrootkit compares the processes in the /proc/ directory with those shown by the command "ps". If both outputs don't match, then it'll give alert. However, the comparision takes a few moments and if a process ends (naturally or forced) during the comparision, then that will cause an false alarm. You shouldn't trust the LKM test in chkrootkit fully and should run some manual checks to see what's up if you're warned about a possible LKM. How to run the test manually for cross checking: As root: cd /home/security/chkrootkit/ (or to wherever your chkrootkit is installed) ./chkrootkit -x lkm That will show a detailed listing of the suspicious processes in question and can help you to look further into the issue. If the listing comes up empty (see example below), then there is nothing to worry about. [root admin]# cd /home/security/chkrootkit/ [root chkrootkit]# ./chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v ### However, if it returns a couple of numbers, then those are the process IDs of the hidden processes. If repeated runs of "chkrootkit -x lkm" report such process IDs, then you should indeed be worried. -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
