Hi,
Le 26/09/2010 06:47, JD a écrit :
I ran rkhunter --check
However, nothing was found.
I then ran chkrootkit,
chkrootkit found this, but I have no idea where the process is:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
I have no idea where the hidden process for ps is.
So, did rkhunter miss something or is chkrootkit just guessing?
RkHunter very probably shows the good result.
The -v option of chkrootkit will print the guilty process(es).
Due to the way chkrootkit does its /proc vs ps test, there is a good
probability those are false positives.
Be aware that chkrootkit hasn't be updated for a long time and that the
last released
version (0.49) don't even included a bunch of preexisting bug fixes.
If you're comfortable with patching and compiling, you can find most of
the patches
here :
http://ftp.de.debian.org/debian/pool/main/r/rkhunter/rkhunter_1.3.6-4.debian.tar.gz
and here :
<http://pkgs.fedoraproject.org/gitweb/?p=chkrootkit.git;a=commit;h=ee3b5ac98da9dd6946a30a16afaeb40ec7aee0ec>http://pkgs.fedoraproject.org/gitweb/?p=chkrootkit.git;a=tree;h=8d4baa1fcb62c0d6af421bfa5b82564bc9ffe504;hb=8d4baa1fcb62c0d6af421bfa5b82564bc9ffe504
Note that some patches are only relevant for Debian or Fedora.
Even though all these patches are installed, and if I correctly read
chkrootkit sources,
the test of threads doesn't work any more on Linux 2.6+. Only hidden
process can possibly be detected.
Sorry for the noise about chkrootkit.
Patrick.
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
