the prog compare the proc list in /proc and the output of command 'ps'. So, when the chkrootkit will list in /proc, and then get an output from ps, the time between two operation is larger enough to create others process (or die/kill)...
that's why this check is not VERY reliable. E. -- Eric LeBlanc [EMAIL PROTECTED] -------------------------------------------------- UNIX is user friendly. It's just selective about who its friends are. ================================================== On Mon, 26 May 2003, IC0N wrote: > Bonjour > > as Jacques Lavignotte <[EMAIL PROTECTED]> and Jens Schuessler > <[EMAIL PROTECTED]> posted in their mails at 7th of March 2003 i have > exactly the same alert message using chkrootkit: > > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > Sometimes I get 2 or 3 processes, sometimes NONE > > is there a plausible reason why there could be a hidden prozess? > hidden even for root? even if LKM is not installed? i did not find > any possible reason. i only know that i can also "reproduce" the > alert by installing debian on a brand new harddisk. i used debian > woody 3.0 with kernel 2.2 CD Image of 11th of december 2002. > > greetings icon > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
