Have I been kitted?

From: Terry Browning (terry@nihil.demon.co.uk)
Date: 06/09/02


From: Terry Browning <terry@nihil.demon.co.uk>
To: focus-linux@securityfocus.com
Date: 09 Jun 2002 12:19:57 +0100

Maybe it's my paranoia, but I've been adding a few tools to my system
recently, and I've had a small panic as a result.

Using chkrootkit:

Checking `lkm'... You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed

Should I panic and if so, how much?

Also, `nmap -sS -p 1-65535 127.0.0.1` says:
8000/tcp open unknown
8200/tcp open unknown
10000/tcp open unknown

and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says:
All 65535 scanned ports on (...) are: filtered

Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time
chasing my tail?

What is the best strategy for dealing with an LKM kit? Reinstall linux
from CD or try to remove it?