On February 7, 2003 11:08 pm, Nathan Yocom wrote:
> If a user was to gain local root priveledges, it is also possible that
> he/she has loaded/forced a kernel module also. Check your modules
Although this is very possible, and something you should consider while
looking for any malicous files or processes, I believe that the message you
got from chkproc (called by chkrootkit) means it found inconsistancies
between ps output and your proc filesystem. Cal Peake pointed out that redhat
hides threads, so I would check your ps/proc first. Although I am not
completly sure, I believe that if it detects a LKM, that it will report
processes being hidden by readdir.
/* Snippet of code */
if (retdir)
printf("You have % 5d process hidden for readdir command\n", retdir);
if (retps)
printf("You have % 5d process hidden for ps command\n", retps);
/* Done */
Craig Holmes
