-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Weber shocked and awed us all by speaking: > "You have 4 process hidden for ps command" and the hint for a probably > installed "LKM Rootkit". So far, so good. "chkproc" with verbose option > enabled (-v) say: > > [EMAIL PROTECTED] chkrootkit-0.38]# ./chkproc -v > PID 26194: not in ps output > PID 26195: not in ps output > PID 26196: not in ps output > PID 26197: not in ps output > You have 4 process hidden for ps command > > That's fine, now we know the PID and can ask... > > [EMAIL PROTECTED] chkrootkit-0.38]# ps p 26194 > PID TTY STAT TIME COMMAND > 26194 ? S 0:00 named -u named > > Seems to be the name daemon, that's okay - a little nameserver for the > local net (and only reachable by the local IP) is running. The 3 other > deliver the same output.Looks like a bug in "chkrootkit" but - how safe > can i be that this is really a bug and not a clever LKM? I guess that > a rootkit will not be named "youhavebeencracked"...
what kernel version? I've been running chkrootkit for a while now, and since upgrading to 2.6.0-test2, it started doing the same thing to me. I believe it's a bug in chkrotkit that is tickled by differences in the new kernel. - -- Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778 http://doug.hunley.homeip.net && http://www.linux-sxs.org One item could not be deleted because it was missing. -- Mac System 7.0b1 error message -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/J/2y2MO5UukaubkRAmczAJ9rNg+GiQbbUIk0MotPKcercfdT5QCgnIuh FuzJ2gQE22lIHGdzpRtfEVM= =bxmH -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
