Re: chkrootkit and LKM?
From: Ali-Reza Anghaie (ali_at_packetknife.com)
Date: 06/17/03
- Previous message: Janus N.: "chkrootkit and LKM?"
- In reply to: Janus N.: "chkrootkit and LKM?"
- Next in thread: Janus N.: "Re: chkrootkit and LKM?"
- Reply: Janus N.: "Re: chkrootkit and LKM?"
- Reply: Blade Runner: "Re: chkrootkit and LKM?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: incidents@securityfocus.com Date: Mon, 16 Jun 2003 21:26:42 -0400
On Monday 16 June 2003 10:59, Janus N. wrote:
> I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit
> and it consistently gives the same output (>20 hidden processes) when
> checking for LKM rootkit:
>
> Checking `lkm'... You have 38 process hidden for readdir command
> Warning: Possible LKM Trojan installed
>
> This is even after reboots. How can I check if this is actually the work
> of the LKM? Or any other rootkit for that matter?
What does "chkrootkit -x lkm" return? If anything...
If it shows PIDs you'll want to hunt through /proc manually for those
processes.
Cheers, -Ali
-- OpenPGP Key: 030E44E6 -- Was I helpful?: http://svcs.affero.net/rm.php?r=packetknife -- War is evil, but it is often the lesser evil. -- George Orwell
- application/pgp-signature attachment: signature
- Previous message: Janus N.: "chkrootkit and LKM?"
- In reply to: Janus N.: "chkrootkit and LKM?"
- Next in thread: Janus N.: "Re: chkrootkit and LKM?"
- Reply: Janus N.: "Re: chkrootkit and LKM?"
- Reply: Blade Runner: "Re: chkrootkit and LKM?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
