| Hi there, | | i am relatively new to security purposes and in this list. My name ist | Michael Weber, i'm Networkadmin from Germany and i hope you can help | me to solve this riddle: | | When starting "chkrootkit" (v 0.38) i get the Message: | | "You have 4 process hidden for ps command" and the hint for a probably | installed "LKM Rootkit". So far, so good. "chkproc" with verbose option | enabled (-v) say: | | [EMAIL PROTECTED] chkrootkit-0.38]# ./chkproc -v | PID 26194: not in ps output | PID 26195: not in ps output | PID 26196: not in ps output | PID 26197: not in ps output | You have 4 process hidden for ps command | | That's fine, now we know the PID and can ask... | | [EMAIL PROTECTED] chkrootkit-0.38]# ps p 26194 | PID TTY STAT TIME COMMAND | 26194 ? S 0:00 named -u named |
Are you running Red Hat? Todd -- | Seems to be the name daemon, that's okay - a little nameserver for the | local net (and only reachable by the local IP) is running. The 3 other | deliver the same output.Looks like a bug in "chkrootkit" but - how safe | can i be that this is really a bug and not a clever LKM? I guess that | a rootkit will not be named "youhavebeencracked"... | | Sorry for my english, feel free to correct it if necessary. | | regards, | Michael Weber | | ------------------------------------------------------------------------ -- | - | ------------------------------------------------------------------------ -- | -- | --------------------------------------------------------------------------- ----------------------------------------------------------------------------
