I won't be able to do this until later in the day but this antivirus does not detect anything in /proc/kcore anymore. It is strange that a scan with f-prot (up to date) did not detect anything (done after vexira detected the signature in /proc/kcore).
I also thought that the antivirus scanner is seeing a copy of it's own definition in kcore. I emailed vexira and support staff said that they don't think so and that it does not happen for them. Just for curiosity, I ran an exhaustive scan all over and vexira dound a signature in a tcpdump.log (a code Red--AFAIK, this is a windows worm). Of course, I deleted this file. In summary,: a) vexira does not detect anything in /proc/kcore (before and after deleting that tcpdump.log) except on one ocassion and it dissapeared after reboot. b)Support staff at vexira apparently cannot reproduce this. c) fprot does not detect the signature. I am curious to know how booting with a different kernel (from a cd install, for example) will determine if it is an error? What is the rationale, if you wish to share? Joe M. > On 20 Jul 2004, jmm wrote: >> The antivirus program was "Vexira". When portsentry is not running, >> there >> is nothing attached to 'bind shell', as reported by chkrootkit. It is >> strange since I ran Vexira in my previous system and after (it gave me >> the >> same warning in the previous system)I erased the whole disk and >> installed >> Woody from scratch with minimal services running. Then, in the >> afternoon, >> when I ran Vexira, the virus signature was showing in /proc/kcore. > > Hrm. Only with that scanner, and only in kcore, huh? Maybe it is > confused by some track of itself running in memory or something. > > Can you boot off a known good media (like, say, an install CD or > something) and run the scanner from there? That should determine if it > is an error, or if it is that the rootkit mostly manages to hide itself
