Rivanor, > 1) I am not running multi-threaded process (process threads).
Not that you know of, but some applications or daemons that you run may be multi-threaded without your knowledge, see the next response however. > 2) While I was running chkrootkit-0.39a: > Checking `lkm'... You have 54 process hidden for ps command > 3) Seeing process: > At /proc : 52 process, too I agree with the response that noted that it looks like chkrootkit wasn't using ps properly. > 4) There are no new open ports listening. Did you test that from a different machine using something like nmap? If you're relying on netstat, it may have been trojaned. > 5) And, is this *normal* ? > [root@localhost /]# lsattr -d /proc/ > lsattr: Inappropriate ioctl for device While reading flags on /proc/ As others noted, yes. > 6) Modules are being loaded are usual, nothing that I don't want. Again, like netstat, if you have a LKM rootkit on your system, it would hide itself from lsmod. > 7) Unfortunately, I don't have access, yet, to a CD like Knoppix. :( Well then head on over to http://www.knoppix.org/ and start dl'ing -- unless your bandwidth or lack of a CD writer prohibits that, in which case that site has a list of vendors you can order it from. In the US, you shouldn't have to pay more than $10 shipped. > 8) I probably gonna try the way: boot up the system with a 'clear' > kernel (no modules). > > Thanks in advance, again... Good luck! Terry USE standard_disclaimer
