Re: LKM Trojan installed
From: Chris Rouch (cdvr@pobox.com)
Date: 02/19/03
- Previous message: Nick Austin: "Re: LKM Trojan installed"
- In reply to: Rivanor P. Soares: "Re: LKM Trojan installed"
- Next in thread: Zow: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chris Rouch <cdvr@pobox.com> To: "Rivanor P. Soares" <rivanor@bol.com.br> Date: 19 Feb 2003 14:03:10 +0100
> 2) While I was running chkrootkit-0.39a:
> Checking `ps'... not infected
> ...
> Checking `lkm'... You have 54 process hidden for ps command
> Warning: Possible LKM Trojan installed
> --
>
> 3) Seeing process:
> [root@localhost chkrootkit-0.39a]# ps ax
> PID TTY STAT TIME COMMAND
> 1 ? S 0:04 init [3]
> 2 ? SW 0:00 [keventd]
> ...
> 4881 pts/0 S 0:00 bash
> 4917 pts/0 S 0:00 vim rootkit
> 4918 pts/1 R 0:00 ps ax
> Total: 52
> At /proc : 52 process, too
> --
chkrootkit seems to think that *all* your processes are hidden (assuming
a couple finished between running chkrootkit and ps).
I suspect that the ps is being run with the wrong arguments (or the
wrong ps is being run). Have a look at chkproc.c and make sure that the
definition of PS is the one you want for your system.
Regards,
Chris
- Next message: Felix Cuello: "entropy + openSSL question"
- Previous message: Nick Austin: "Re: LKM Trojan installed"
- In reply to: Rivanor P. Soares: "Re: LKM Trojan installed"
- Next in thread: Zow: "Re: LKM Trojan installed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
