On Mon, 16 Aug 2004, Gregory Pierce wrote: > In running chkrootkit (version 0.43) tonight I got the following > warning: > > Checking `lkm'... You have 16 process hidden for readdir command > You have 16 process hidden for ps command > Warning: Possible LKM Trojan installed > > But when I run chkrootkit from KDE it comes up clean. Can I really be > compromised and chkrootkit detect a trojan from within gnome but not > when I am running from KDE? > > I am not at all sure what to do from here. Should I just start from > scratch and re-install everything?
Don't re-install just yet. It is very unlikely that you've been trojanned (is that a word?). The lkm test is quite susceptible to false positives; that is most likely what you're seeing. For example, just switching from kernel 2.4.x to 2.6.7 caused chkrootkit to start reporting 17+ 'hidden processes' and a possible LKM Trojan on my machines. (Someone else reported this case to the BTS: bug=260905.) /usr/share/doc/chkrootkit/README.Debian discusses a few other false positive situations. I presume that gnome runs some background processes (or perhaps uses a threading model?) that KDE doesn't, and that is triggering the LKM test. So, you're probably fine, but keep an eye out for bogus activity on your machine (ie. normal sys-admin mode). -- Brad -- Brad Sawatzky <[EMAIL PROTECTED]> University of Virginia Physics Department Ph: (434) 924-6580 Fax: (434) 924-7909 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
