Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"

From: Richard Kimber (rkimber_at_ntlworld.com)
Date: 11/14/03 

Date: Fri, 14 Nov 2003 12:29:09 +0000

On Thu, 13 Nov 2003 21:31:01 -0800, Tom wrote:

> I run Debian Linux. I've been keeping current with security updates
> and that sort of thing. I've been using Debian for about a month and
> a half now. I try to keep things simple, and run my box as secure as
> possible, from what I know. I run apt-get update & upgrade every day
> or two.
>
> Every week or so I'll run chkrootkit, mostly just because I feel I
> should. Every time I've run it, I've come up clean, no problems.
>
> Today it's started saying:
> "You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed"

I get this too with Debian. I'm not sure these processes are actually
hidden. If I run ps it gives:

    1 ? S 0:07 init
    2 ? SW 0:00 [keventd]
    0 ? SWN 0:00 [ksoftirqd_CPU0]
    0 ? SW 0:05 [kswapd]
    0 ? SW 0:00 [bdflush]
    0 ? SW 0:00 [kupdated]
    8 ? SW 0:00 [i2oevtd]
etc

the processes with zero pid seem to be the processes reported as hidden by
chkrootkit and chkproc says they are 3,4,5,6

I'm not an expert, but this looks more like some sort of bug than a
compromise. But I could be wrong.

- Richard.

Relevant Pages

  • Re: Fedora Extras is extra
    ... That was about when I switched to Debian. ... people package new stuff for Stable ... There are lots of Debian Developers who listen to their users and help sort ... If _I_ for some reason want to package an enhanced glibc I might call it ...
    (Fedora)
  • Re: Similar Experience/Forget Hardy
    ... It sort of makes sense. ... packages having -ubuntu something in the package string? ... Or maybe debian? ... ubuntu-users mailing list ...
    (Ubuntu)
  • Re: Debian Unstable not updating?
    ... Kelly Harding wrote: ... > I've been running Debian for about a year or two now. ... Perhaps strace the apt-get process...see if it's generating any errors ... grep and/or vi will help to sort through it all)...that's about my only ...
    (Debian-User)
  • Re: "I do consider Ubuntu to be Debian" , Ian Murdock
    ... That sort of thing often makes me think that the reviewers have some ... sort of axe to grind against Debian. ... I was under the impression that, since Mepis was based on ...
    (Debian-User)
  • Re: vmware packaged as .deb
    ... > The guy who packages ATI fglrx drivers for Debian ... > is a godsend. ... > Has anybody ever done a similar sort of thing to VMWare? ...
    (Debian-User)
Loading