Nolan Andres [EMAIL PROTECTED] writes:
yah...it does...
/usr/sbin# chkrootkit lkm
ROOTDIR is `/'
Checking `lkm'... SIGINVISIBLE Adore found
chkproc: Warning: Possible LKM Trojan installed
but this is complaining about SIGINVISIBLE which has nothing to do with
mysql and 2.6 threads. as
ah...right. I see what you mean.
FWIW, my system and architecture listed above (previous email) were:
We're running Sarge with kernel 2.6.11, and have tried both
chkrootkit 0.45-1
chkrootkit 0.46a-2
...and at that time, I was getting:
/etc/cron.daily/chkrootkit:
You have 1 process
Nolan Andres [EMAIL PROTECTED] writes:
The more recent results were shown given:
kernel: 2.6.15
chkrootkit: 0.46a-3
arch(unchanged): i386
...and you're right...no more hidden processes for ps or readdir
so I guess this part is ok, now. Sorry for any confusion. I've been
getting these
just the one...it's a mail server, running vexim2 (hence MySQL),
mailman, clamav, etc...
machine 2:
using chkrootkit 0.44-2
a webserver, gets similar results for chkproc (MySQL), but no SIGINVISIBLE
machine 3:
using chkrootkit 0.44-2
DNS server, chkproc returns nothing, no SIGINVISIBLE
I
downgraded to chkrootkit 0.44-2 (stable):
# /usr/sbin/chkrootkit lkm
ROOTDIR is `\'
Checking `lkm'... nothing detected
hm.
peace,
Nolan
lantz moore wrote:
Nolan Andres [EMAIL PROTECTED] writes:
The more recent results were shown given:
kernel: 2.6.15
chkrootkit: 0.46a-3
arch(unchanged):
Nolan Andres [EMAIL PROTECTED] writes:
downgraded to chkrootkit 0.44-2 (stable):
# /usr/sbin/chkrootkit lkm
ROOTDIR is `\'
Checking `lkm'... nothing detected
hm.
right. afaik, the adore check in 0.44 is completely broken. it will
*not* detect adore at all (nor should it give a false
Is it just me, or does that 'chkrootkit' output show no false
positives? What is being displayed is the verbose output from chkproc,
but it's not saying that any hidden processes were found. chkproc
outputs something like X process hidden for readdir command when it
finds hidden processes, does it
yah...it does...
/usr/sbin# chkrootkit lkm
ROOTDIR is `/'
Checking `lkm'... SIGINVISIBLE Adore found
chkproc: Warning: Possible LKM Trojan installed
peace,
Nolan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
most recently...
# /usr/sbin/chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 3
###
CWD 8924: /var/lib/mysql
EXE 8924: /usr/sbin/mysqld
CWD 8925: /var/lib/mysql
EXE 8925: /usr/sbin/mysqld
CWD 9223: /var/lib/mysql
EXE 9223: /usr/sbin/mysqld
CWD 9249: /var/lib/mysql
Nolan Andres [EMAIL PROTECTED] writes:
We're running Sarge with kernel 2.6.11, and have tried both
chkrootkit 0.45-1
chkrootkit 0.46a-2
...both of them have the same problem:
# ps aux | grep 10767
mysql10767 0.0 2.8 73396 14844 ? S 2005 25:04
/usr/sbin/mysqld
We're running Sarge with kernel 2.6.11, and have tried both
chkrootkit 0.45-1
chkrootkit 0.46a-2
...both of them have the same problem:
# /usr/sbin/chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v -p 3
###
CWD 10770: /var/lib/mysql
EXE 10770: /usr/sbin/mysqld
CWD 10771:
Vincas Ciziunas [EMAIL PROTECTED] writes:
Package: chkrootkit
Version: 0.44-2
Severity: normal
A little googling tracked this down:
chkrootkit currently fails to recognize threads in Linux kernel 2.6 and
therefore warns about LKM. Attached patch fixes that problem: under 2.6
the threads
Package: chkrootkit
Version: 0.44-2
Severity: normal
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (650, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages chkrootkit
13 matches
Mail list logo
