On February 7, 2003 07:41 am, Rivanor P. Soares wrote: > Checking `lkm'... You have 69 process hidden for ps command > Warning: Possible LKM Trojan installed > > Could this be *true* ? How can I discover it? If this is true, then your 'ps' binary has been replaced with one that filters certain processes from your viewing. The best, easiest method to determine if this is true, is to change directories to your /proc filesystem, and manually compare the PID corresponding directories to the PIDs you see in your ps output. If you notice extra PIDs (which you will quickly notice if you infact have 69 hidden processes), then you should enter their corresponding directories and analize the information within, to see if the process is malicous. If manually comparing your proc filesystem to your ps output seems like a duanting task, you could try downloading a fresh ps binary to your box, one which isnt backdoored. Only problem with this is, once it is on your potentially infected box, its output can no longer be trusted, as one of those 69 processes could maim the output of your new ps, not to mention how easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.
Craig Holmes