> "You have 4 process hidden for ps command" and the hint for a probably > installed "LKM Rootkit". So far, so good. "chkproc" with verbose > option enabled (-v) say: > > [EMAIL PROTECTED] chkrootkit-0.38]# ./chkproc -v > PID 26194: not in ps output > PID 26195: not in ps output > PID 26196: not in ps output > PID 26197: not in ps output > You have 4 process hidden for ps command >
try a better thing: ls -l /proc/$pid/exe - this command will give you the real path of the executable 'name', which can be even '/usr/man/man1/xxx/whatever/named' also you can try ls -l /proc/$pid/fd/ - list of file descriptors opened by process $pid i had a server cracked and chrootkit report me 2 process hidden; and they we're on my system, hidden for ps and top, but not enough hidden for absolute path i'm not sure, but i believe that a lkm is clever enough (ie. very good programmed), it can really 'wipe' a file/process/??? from the system, so it's hard sometimes to diagnose your server Alex --------------------------------------------------------------------------- ----------------------------------------------------------------------------
