On Mon, Jan 26, 2004 at 02:36:39PM -0500, Greg Folkert wrote: > > > When I run tiger, I got a follow error: > > > > > > NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit > > > installation > > > NEW: Warning: Possible LKM Trojan installed (...) > Please make sure this isn't the faulty chrootkit... that > mis-reported an LKM existing on you boxen.
I believe chkrootkit is to blame here, the LKM check is prone to a lot of false positives in sid. I haven't been able to pinpoint what causes this, unfortunately it comes (NEW) and goes (OLD) so it's not cleaned by Tiger's "do not send me stuff I already know about" mechanism. There are some know false positives in chkrookit [1] and given the way it checks for some of the rookits it's bound to fail sometimes, also notice that there are know issues with the latest kernel (2.6) and glibc (some processes will not show up no matter what). Also, nautilus and mozilla-firebird seem to cause these false positives (as reported in bug #222179) It would be great if chkrootkit would detail more in the output message what "hidden" process leads him to believe there is a LKM so that these could be filtered through Tiger ignore mechanism... Regards Javi [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=chkrootkit
signature.asc
Description: Digital signature