On Monday 16 June 2003 10:59, Janus N. wrote: > I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit > and it consistently gives the same output (>20 hidden processes) when > checking for LKM rootkit: > > Checking `lkm'... You have 38 process hidden for readdir command > Warning: Possible LKM Trojan installed > > This is even after reboots. How can I check if this is actually the work > of the LKM? Or any other rootkit for that matter? What does "chkrootkit -x lkm" return? If anything... If it shows PIDs you'll want to hunt through /proc manually for those processes. Cheers, -Ali -- OpenPGP Key: 030E44E6 -- Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife -- War is evil, but it is often the lesser evil. -- George Orwell
This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 18:29:35 PDT