> 2) While I was running chkrootkit-0.39a: > Checking `ps'... not infected > ... > Checking `lkm'... You have 54 process hidden for ps command > Warning: Possible LKM Trojan installed > -- > > 3) Seeing process: > [root@localhost chkrootkit-0.39a]# ps ax > PID TTY STAT TIME COMMAND > 1 ? S 0:04 init [3] > 2 ? SW 0:00 [keventd] > ... > 4881 pts/0 S 0:00 bash > 4917 pts/0 S 0:00 vim rootkit > 4918 pts/1 R 0:00 ps ax > Total: 52 > At /proc : 52 process, too > --
chkrootkit seems to think that *all* your processes are hidden (assuming a couple finished between running chkrootkit and ps). I suspect that the ps is being run with the wrong arguments (or the wrong ps is being run). Have a look at chkproc.c and make sure that the definition of PS is the one you want for your system. Regards, Chris
