On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > On Sunday 16 July 2006 20:25, Dave S wrote: > > HI, I have a potential security problem ... > > > > and err its not on gentoo, its on ubuntu but I am not getting any > > response there & you guys are the most tech bunch I know - Thought I > > would lay it on the table :) > > > > I just had an email from chkrootkit last night - > > > > --- > > > > The following suspicious files and directories were found: > > > > You have 3 process hidden for readdir command > > You have 3 process hidden for ps command > > chkproc: Warning: Possible LKM Trojan installed > > > > --- > > > > Running chkrootkit now and all is OK > > > > [EMAIL PROTECTED]:~# > > [EMAIL PROTECTED]:~# chkrootkit | grep chkproc > > Checking `lkm'... chkproc: nothing detected > > [EMAIL PROTECTED]:~# > > > > I have even 'sudo install --reinstall chkrootkit' in case its binarys > > have been modified (paranoid) > > if you installed using the tools of the system, it could be worthless, > because compromised. Boot from a cd and check from the cd.
I understand. Booted from knoppix 5.0.1, executed a 'chroot /mnt/hda1 chkrootkit' and a 'chroot /mnt/hda1 rkhunter -c' - both scans brought back nothing. From what I have read the chkrootkit & rkhunter binarys would have been from the CD and therefore untainted ? Am I correct ? Are there any other checks I can do - re-installing the system is not my preferred option :) Dave -- [email protected] mailing list
