Hi there, i am relatively new to security purposes and in this list. My name ist Michael Weber, i'm Networkadmin from Germany and i hope you can help me to solve this riddle:
When starting "chkrootkit" (v 0.38) i get the Message: "You have 4 process hidden for ps command" and the hint for a probably installed "LKM Rootkit". So far, so good. "chkproc" with verbose option enabled (-v) say: [EMAIL PROTECTED] chkrootkit-0.38]# ./chkproc -v PID 26194: not in ps output PID 26195: not in ps output PID 26196: not in ps output PID 26197: not in ps output You have 4 process hidden for ps command That's fine, now we know the PID and can ask... [EMAIL PROTECTED] chkrootkit-0.38]# ps p 26194 PID TTY STAT TIME COMMAND 26194 ? S 0:00 named -u named Seems to be the name daemon, that's okay - a little nameserver for the local net (and only reachable by the local IP) is running. The 3 other deliver the same output.Looks like a bug in "chkrootkit" but - how safe can i be that this is really a bug and not a clever LKM? I guess that a rootkit will not be named "youhavebeencracked"... Sorry for my english, feel free to correct it if necessary. regards, Michael Weber --------------------------------------------------------------------------- ----------------------------------------------------------------------------
