On Thu, 24 Feb 2005 19:22:22 +1100, O Plameras <[EMAIL PROTECTED]> wrote: > Ff. is a sample of positvie result showing possible > Loadable Kernel Module (LKM) Trojan: > > [EMAIL PROTECTED] chkrootkit-0.45]# ./chkrootkit > > .........snipped................. > Searching for ESRK rootkit default files... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... You have 3 process hidden for readdir command > You have 3 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... br0: not promisc and no PF_PACKET sockets > Checking `w55808'... not infected > .........snipped..................
Is this a recent version? chkrootkit used not to handle 2.6's new way of "hiding" theads and reportted them as hidden process just like above. Apparently recent versions know how to handle this. Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
