On Sunday 16 July 2006 21:54, Dave S wrote: > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > > On Sunday 16 July 2006 20:25, Dave S wrote: > > > HI, I have a potential security problem ... > > > > > > and err its not on gentoo, its on ubuntu but I am not getting any > > > response there & you guys are the most tech bunch I know - Thought I > > > would lay it on the table :) > > > > > > I just had an email from chkrootkit last night - > > > > > > --- > > > > > > The following suspicious files and directories were found: > > > > > > You have 3 process hidden for readdir command > > > You have 3 process hidden for ps command > > > chkproc: Warning: Possible LKM Trojan installed > > > > > > --- > > > > > > Running chkrootkit now and all is OK > > > > > > [EMAIL PROTECTED]:~# > > > [EMAIL PROTECTED]:~# chkrootkit | grep chkproc > > > Checking `lkm'... chkproc: nothing detected > > > [EMAIL PROTECTED]:~# > > > > > > I have even 'sudo install --reinstall chkrootkit' in case its binarys > > > have been modified (paranoid) > > > > if you installed using the tools of the system, it could be worthless, > > because compromised. Boot from a cd and check from the cd. > > I understand. Booted from knoppix 5.0.1, executed a > > 'chroot /mnt/hda1 chkrootkit' and a > 'chroot /mnt/hda1 rkhunter -c' > > - both scans brought back nothing. From what I have read the chkrootkit & > rkhunter binarys would have been from the CD and therefore untainted ? Am I > correct ? >
no, if you chroot, the binaries from the chroot are used. use chkrootkit without chrooting - best with full path (/usr/sbin/chkrootkit) -- [email protected] mailing list
