On February 7, 2003 07:41 am, Rivanor P. Soares wrote:
> Checking `lkm'... You have 69 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Could this be *true* ? How can I discover it?
If this is true, then your 'ps' binary has been replaced with one that filters
certain processes from your viewing.
The best, easiest method to determine if this is true, is to change
directories to your /proc filesystem, and manually compare the PID
corresponding directories to the PIDs you see in your ps output. If you
notice extra PIDs (which you will quickly notice if you infact have 69 hidden
processes), then you should enter their corresponding directories and analize
the information within, to see if the process is malicous.
If manually comparing your proc filesystem to your ps output seems like a
duanting task, you could try downloading a fresh ps binary to your box, one
which isnt backdoored. Only problem with this is, once it is on your
potentially infected box, its output can no longer be trusted, as one of
those 69 processes could maim the output of your new ps, not to mention how
easily a kernel backdoor [LKM, kernel patch (hard or /dev/kmem)]could to do.
Craig Holmes
