Re: chkrootkit and LKM?

From: Ali-Reza Anghaie (aliat_private)
Date: Mon Jun 16 2003 - 18:26:42 PDT

Next message: L Whiteside: "Wierd Profile in Document Settings"

Previous message: Janus N.: "chkrootkit and LKM?"
In reply to: Janus N.: "chkrootkit and LKM?"
Next in thread: Janus N.: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Reply: Janus N.: "Re: chkrootkit and LKM?"
Reply: Blade Runner: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 16 June 2003 10:59, Janus N. wrote:
> I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit
> and it consistently gives the same output (>20 hidden processes) when
> checking for LKM rootkit:
>
> Checking `lkm'... You have    38 process hidden for readdir command
> Warning: Possible LKM Trojan installed
>
> This is even after reboots. How can I check if this is actually the work
> of the LKM? Or any other rootkit for that matter?

What does "chkrootkit -x lkm" return? If anything...

If it shows PIDs you'll want to hunt through /proc manually for those 
processes.

Cheers, -Ali

-- 
OpenPGP Key: 030E44E6
--
Was I helpful?:  http://svcs.affero.net/rm.php?r=packetknife
--
War is evil, but it is often the lesser evil. -- George Orwell

application/pgp-signature attachment: signature

Next message: L Whiteside: "Wierd Profile in Document Settings"
Previous message: Janus N.: "chkrootkit and LKM?"
In reply to: Janus N.: "chkrootkit and LKM?"
Next in thread: Janus N.: "Re: chkrootkit and LKM?"
Next in thread: Tim Greer: "Re: chkrootkit and LKM?"
Reply: Janus N.: "Re: chkrootkit and LKM?"
Reply: Blade Runner: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 18:29:35 PDT