Re: Chkrootkit - true/false ?
On Sat, May 22, 2004 at 10:03:37AM +0800, Jason Lim wrote: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? chkrootkit on nearly anything occasionally gives this false positive. I believe it is something to do with normal processes terminating or spawning at the time chkrootkit is looking for hidden processes. Hence the word Possible in its report. If you run chkrootkit again, you will probably not see the message again. If you repeatedly see that message every time you run chkrootkit, then you can start panicing. Donovan Baardahttp://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Chkrootkit - true/false ?
Donovan Baarda wrote: On Sat, May 22, 2004 at 10:03:37AM +0800, Jason Lim wrote: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed If you run chkrootkit again, you will probably not see the message again. If you repeatedly see that message every time you run chkrootkit, then you can start panicing. This is a known bug in ps command of debian. I don't know if the sid version is updated by now, but this particular lkm - 3 process problem *will* occur again. chkrootkit gives often false positives, but this is no reason not look for a trojan. read the perl code to see what it checks. it's quite simple, it checks the existence of certain hidden directories, files or processes. try to invstigate, why they exist on your machine. rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Chkrootkit - true/false ?
On Sat, May 22, 2004 at 10:03:37AM +0800, Jason Lim wrote: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? chkrootkit on nearly anything occasionally gives this false positive. I believe it is something to do with normal processes terminating or spawning at the time chkrootkit is looking for hidden processes. Hence the word Possible in its report. If you run chkrootkit again, you will probably not see the message again. If you repeatedly see that message every time you run chkrootkit, then you can start panicing. Donovan Baardahttp://minkirri.apana.org.au/~abo/
Re: Chkrootkit - true/false ?
Donovan Baarda wrote: On Sat, May 22, 2004 at 10:03:37AM +0800, Jason Lim wrote: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed If you run chkrootkit again, you will probably not see the message again. If you repeatedly see that message every time you run chkrootkit, then you can start panicing. This is a known bug in ps command of debian. I don't know if the sid version is updated by now, but this particular lkm - 3 process problem *will* occur again. chkrootkit gives often false positives, but this is no reason not look for a trojan. read the perl code to see what it checks. it's quite simple, it checks the existence of certain hidden directories, files or processes. try to invstigate, why they exist on your machine. rgds, j. -- Andreas John net-lab GmbH Luisenstrasse 30b 63067 Offenbach Tel: +49 69 85700331 http://www.net-lab.net
Chkrootkit - true/false ?
Hi I have rkhunter and chkrootkit running in a cron job every morning and every now and again I get chkrootkit results like this: Checking `lkm'... You have 3 process hidden for ps command Warning: Possible LKM Trojan installed And sometimes this: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? Dave
Re: Chkrootkit - true/false ?
yeah. i think there are some bug reports on chkrootkit / woody. if you run it again right after, you shouldn't get the message again. (i personally prefer rkhunter) :) http://tinyurl.com/3fddn ~august David Ross wrote: Hi I have rkhunter and chkrootkit running in a cron job every morning and every now and again I get chkrootkit results like this: Checking `lkm'... You have 3 process hidden for ps command Warning: Possible LKM Trojan installed And sometimes this: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Chkrootkit - true/false ?
* David Ross ([EMAIL PROTECTED]) [040521 01:55] spake thusly: snip Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? Running 2.6? -mp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Chkrootkit - true/false ?
Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? No. I dont get that error. What I can note is that one time one ofthe servers got stuffed up for some reason (the RAID array borked at the wrong moment or something) and something weird happened to /proc or such. We actually didn't know this at the time, so we ran chkrootkit (the backports.org version) and found a similar error to your's. We were all frantic, checking the backups and everything, until we checked the logs and saw RAID error. We rebooted the server and re-ran chkrootkit and all was fine. This certainly does not mean the same in your case, but just though you might want to know. Jas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Chkrootkit - true/false ?
yeah. i think there are some bug reports on chkrootkit / woody. if you run it again right after, you shouldn't get the message again. (i personally prefer rkhunter) :) http://tinyurl.com/3fddn ~august David Ross wrote: Hi I have rkhunter and chkrootkit running in a cron job every morning and every now and again I get chkrootkit results like this: Checking `lkm'... You have 3 process hidden for ps command Warning: Possible LKM Trojan installed And sometimes this: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? Dave
Re: Chkrootkit - true/false ?
* David Ross ([EMAIL PROTECTED]) [040521 01:55] spake thusly: snip Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? Running 2.6? -mp
Re: Chkrootkit - true/false ?
Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes chkrootkit returns nothing detected and every time rkhunter tells me nothing is wrong. Is this a false positive with chkrootkit and debian woody? No. I dont get that error. What I can note is that one time one ofthe servers got stuffed up for some reason (the RAID array borked at the wrong moment or something) and something weird happened to /proc or such. We actually didn't know this at the time, so we ran chkrootkit (the backports.org version) and found a similar error to your's. We were all frantic, checking the backups and everything, until we checked the logs and saw RAID error. We rebooted the server and re-ran chkrootkit and all was fine. This certainly does not mean the same in your case, but just though you might want to know. Jas
