Dear SLUG, Is this a trojan or a bug or me doing something stupid? I'm running sid on a 2.4.20 kernel.
This is the output that got me worried to begin with: # chkrootkit lkm ROOTDIR is `/' Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed And ps shows up 4 processes of PID 0 which is pretty strange, right? $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.3 0.0 1484 488 ? S 20:52 0:04 init [2] root 2 0.0 0.0 0 0 ? SW 20:52 0:00 [keventd] root 0 0.0 0.0 0 0 ? SWN 20:52 0:00[ksoftirqd_CPU0] root 0 0.0 0.0 0 0 ? SW 20:52 0:00 [kswapd] root 0 0.0 0.0 0 0 ? SW 20:52 0:00 [bdflush] root 0 0.0 0.0 0 0 ? SW 20:52 0:00 [kupdated] root 62 0.0 0.0 0 0 ? SW 20:52 0:00 [kapmd] root 71 0.0 0.0 0 0 ? SW 20:52 0:00 [khubd] But in /proc there are processes 3 4 5 and 6 which seem to correspond to these PID 0 processes. E.g. # cat /proc/3/status Name: ksoftirqd_CPU0 State: S (sleeping) Tgid: 0 Pid: 3 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: SigPnd: 0000000000000000 SigBlk: ffffffffffffffff SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff Is there something else I should be looking at to determine if something nasty is going on? Any help will be appreciated. Thanks, David -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
