Try "chkrootkit -x lkm", it will list the "hidden process" ... Sometimes depending on CPU and disk load, chkrootkit on our racks lists even "sendmail", "inet" and many other usual system process as hidden ... The "chkproc" program compares the "ps" output with the "/proc" contents, so If the process ends before the program finish the checking routine it can list the process as hidden or suspicious ... hope this helps ...
[]'s Nino ----- Original Message ----- From: "James Zawacki" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, October 05, 2003 12:49 PM Subject: [cobalt-security] chkrootkit LKM Detection? > Hello, Just out of the blue, I've just started receiving these in my chkrootkit output some nights. Other nights it doesn't show up. > > <snip> > Checking `lkm'... You have 2 process hidden for readdir command > You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > </snip> > > Now, from my research, it soulds like it's common under RedHat? But, why did it just start happening, and why only on this box? None of my other Raq4's are showing this. > > Thanks, > James > > > > > --------------------------------------------------------------- > http://www.customlynx.com - Low cost web authoring and hosting! > Get your FREE E-mail address or give them out! (culymail.com) > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
