My overnight run of rkhunter 1.3.2 on a Fedora Core 7 machine issued the following warning:
Warning: Sebek LKM [ Warning ] Kernel symbol 'adore or sebek' found The log lines read: [04:37:32] Checking for Sebek LKM... [04:37:32] Checking for kernel symbol 'adore or sebek' [ Found ] [04:37:32] Warning: Sebek LKM [ Warning ] [04:37:32] Kernel symbol 'adore or sebek' found When I re-run the check manually, rkhunter gives the system an all-clear and doesn't report any sign of Sebek. Running chkrootkit reports: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp terminated /usr/lib/chkrootkit-0.48/chkrootkit: line 172: 22700 Aborted ./chkutmp Do I assume that my system is compromised, and that the attackers have not only installed Sebek, but have crippled rkhunter so that it can't detect it any more? If anyone has any tips on where to go next to get rid of the installed rootkit, these would be appreciated. Thanks, Angus ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
