On Sun, 2003-10-05 at 11:49, James Zawacki wrote: > Hello, Just out of the blue, I've just started receiving these in my chkrootkit > output some nights. Other nights it doesn't show up. >
I have seen this and I went crazy testing a whole bunch of machines only to find it was a false positive in my case. The one box in question was running sendmail and was routing a lot of messages to an internal mail server. Many sendmail child processes were being forked and there is a bit of a race condition there if the process count is changing very rapidly, i.e. if the count changes between the ps and chkrootkit tests. There are potentially a number of things that could cause rapid process count changes like shell scripts or stuff launched by inetd so the trigger could be something other than sendmail. I guess you could wrap chkrootkit an a small script that does three tests in succession and only warns you on multiple failures or see if there is a way to decrease the latency in the chkrootkit test. Eric > <snip> > Checking `lkm'... You have 2 process hidden for readdir command > You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > </snip> > > Now, from my research, it soulds like it's common under RedHat? But, why did it > just start happening, and why only on this box? None of my other Raq4's are showing > this. > > Thanks, > James > > > > > --------------------------------------------------------------- > http://www.customlynx.com - Low cost web authoring and hosting! > Get your FREE E-mail address or give them out! (culymail.com) > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
