| View previous topic :: View next topic |
| Author |
Message |
PennyroyalFrog
Apprentice
Joined: 07 Oct 2004
Posts: 194
|
 Posted: Tue Jan 04, 2005 11:59 pm Post subject: possible lkm trojan only while doing emerge |
 |
|
If i run chkrootkit while doing an emerge i get the following:
| Code: | Checking `lkm'... You have 3 process hidden for ps command
Warning: Possible LKM Trojan installed |
If i run chkrootkit while not doing an emerge then i don't get any warning. even stranger is that sometimes the amount of hidden processes varies. but it's always/onlly at 0 when i'm NOT doing an emerge... could someone shed some light on this? thanks. |
|
| Back to top |
|
 |
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Wed Jan 05, 2005 12:16 am Post subject: |
|
|
I do not know chkrootkit... I use rkhunter but maybe it complains about child processes?
Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
Mythos
l33t
Joined: 02 May 2004
Posts: 953
Location: Portugal
|
| Posted: Wed Jan 05, 2005 12:24 am Post subject: |
|
|
rkhunter excelent tool 
_________________
Best Regards,
Sérgio Henrique
Linux dune 3.0.6-gentoo #1 SMP Thu Oct 27 16:47:29 WEST 2011 x86_64 Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz GenuineIntel GNU/Linux |
|
| Back to top |
|
|
ToeiRei
Veteran
Joined: 03 Jan 2005
Posts: 1191
Location: Austria
|
| Posted: Wed Jan 05, 2005 12:29 am Post subject: |
|
|
yeah- but the update mirrors are not the best
for being really sure to have a clean system I would checksum the whole system (tripwire / aide ....) </paranoia>
Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell... |
|
| Back to top |
|
|
speed_bump
Tux's lil' helper
Joined: 10 Jan 2004
Posts: 92
Location: Wisconsin, USA
|
| Posted: Wed Jan 05, 2005 12:52 am Post subject: |
|
|
There's most likely no LKM. Basically, to detect this scenario chkrootkit gathers ps output and then traverses the /proc directory looking for discrepancies. This means that you have two static pictures of the system taken at two different points in time. In many cases, this will be just fine. However, if you have a system where lots of processes are being created and destroyed very quickly (eg you're compiling lots of packages) those two snapshots may well disagree.
Unless you have other evidence to suggest a compromise, I'd leave it at that. |
|
| Back to top |
|
|
PennyroyalFrog
Apprentice
Joined: 07 Oct 2004
Posts: 194
|
| Posted: Wed Jan 05, 2005 12:54 am Post subject: |
|
|
| thanks for the replies, i also tried rkhunter with no 'positives'. everything returned back normal. |
|
| Back to top |
|
|
|
Networking & Security
