LKM Trojan?

2007-02-18 Thread FreeBSD MailingLists

When I run chkrootkit I get the following lines.


Checking `lkm'... You have   107 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed


rkhunter doesn't seem to find anything.
I suspect that my machine might be compromised.
running ls in the /proc directory returns an empty list.
I have recompiled the kernel and world but the problem persists.
Any suggestions on how to fix this without having to reinstall from scratch?

TIA,
Tomoki
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: LKM Trojan?

2007-02-18 Thread Josh Carroll

running ls in the /proc directory returns an empty list.
I have recompiled the kernel and world but the problem persists.
Any suggestions on how to fix this without having to reinstall from scratch?


Are you sure /proc is mounted? I don't think it's mounted by default.
Check the output of mount and see if it's mounted or not.

Josh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: LKM Trojan?

2007-02-18 Thread Kris Kennaway
On Sun, Feb 18, 2007 at 11:04:18PM +0900, FreeBSD MailingLists wrote:
 When I run chkrootkit I get the following lines.
 
 Checking `lkm'... You have   107 process hidden for readdir command
 chkproc: Warning: Possible LKM Trojan installed
 
 rkhunter doesn't seem to find anything.
 I suspect that my machine might be compromised.
 running ls in the /proc directory returns an empty list.
 I have recompiled the kernel and world but the problem persists.
 Any suggestions on how to fix this without having to reinstall from scratch?

When using any tool you need to understand the limitations of that
tool.  One of the major limitations of this kind of pattern
recognition security tool is that they just aren't very accurate,
and have lots of false positives.  So you may have a LKM trojan
(even though FreeBSD doesn't use LKMs, it uses KLDs ;), or (more
likely) you might have just encountered a poorly specified search
pattern in the tool.

Kris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]