Re: chkrootkit V. 0.47

On Tue, 20 Nov 2007, JP wrote:

--and--
Checking `lkm'... You have 131 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

I wonder if it's trying to use procfs, which isn't mounted by default in FreeBSD, and as a result reporting that /proc is empty (which is expected). You could try mounting procfs and see if the message goes away, which would answer the question -- however, we don't generaly advise mounting procfs unless it is required, as it is a deprecated feature.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: chkrootkit V. 0.47
    ... chkproc: Warning: Possible LKM Trojan installed ... You could try mounting procfs and see if the message goes away, ... In fact it's a bug in the chkproc. ...
    (FreeBSD-Security)
  • Re: chkrootkit V. 0.47
    ... You have 131 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ... the above shows a few anomalies like the bindshell ... ...
    (FreeBSD-Security)
  • Re: chkrootkit finds 94 process hidden for readdir
    ... You have 94 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ... Does LKM stand for "Linux Kernel Module"? ...
    (freebsd-stable)
  • Re: chkrootkit finds 94 process hidden for readdir
    ... I ran chkrootkit yesterday and saw this: ... You have 94 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ...
    (freebsd-stable)
  • Re: chkrootkir LKM Trojan ?
    ... The following suspicious files and directories were found: ... You have 3 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ...
    (Ubuntu)