On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote: > Hi folk, > After reading on report of servers compromised. Just for curiorsity I > run chkrootkit on my own machine and come up with this result: > > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... You have 12 process hidden for readdir command > You have 12 process hidden for ps command > Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... > eth0: PROMISC > > Is my machine compromised? How to fix this? > > Vanh >
If its unstable, then there is a bug with chkrootkit. do a ps ax and see how many processes you have with pid 0. Don't remember the criterion, but some processes owned by the kernel are started with the kernel's pid which is 0 (I hope I am not mixing things up, but that is the essential idea, search the archives on this if you want the exact story). also try running /usr/lib/chkrootkit/chkproc -v and it will tell you exactly which processes are seen as hidden. You can then try to do: cat /proc/<pid>/status (hoping that wasn't compromised if the computer was, which it probably wasn't) to see what the process actually is. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
