Re: chkrootkit-0.34 report
From: Seth Arnold (sarnold@wirex.com)Date: 10/30/01
- Previous message: kam: "Re: changing root account name"
- In reply to: Herbert Kwong: "chkrootkit-0.34 report"
- Next in thread: dewt: "Re: chkrootkit-0.34 report"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Oct 2001 14:33:53 -0800 From: Seth Arnold <sarnold@wirex.com> To: focus-linux@securityfocus.com Subject: Re: chkrootkit-0.34 report Message-ID: <20011030143353.A994@wirex.com>
On Mon, Oct 29, 2001 at 07:46:33PM -0800, Herbert Kwong wrote:
> I just used chkrootkit 0.34 to check my system. It
> reports the following message:
> Checking 'lkm'... You have 2 process hidden for ps
> command
> Warning: Possible LKM Trojan installed
Well, I've never used chkrootkit, but it has to get this information
somehow. If the rootkit author wasn't very bright, you will see the
extra processes in your /proc/ tree. (You could also try 'pstree',
'top', etc, if the rootkit author didn't change all process reporting
tools.)
If the rootkit author was smarter than the average bear, the only way I
can think of finding out is loading your own kernel module, designed to
print out all process information. Of course, a rootkit author could
prevent this from working too, though probably only in a fashion that
would prevent your module from loading at all..
Cheers!
-- The Bill of Rights: 7 out of 10 rights haven't been sold yet! Contact your congressman for details how *you* can buy one today!
- Previous message: kam: "Re: changing root account name"
- In reply to: Herbert Kwong: "chkrootkit-0.34 report"
- Next in thread: dewt: "Re: chkrootkit-0.34 report"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
