Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open"

From: Stu (stu_at_santa-li.com)
Date: 11/15/03


Date: Fri, 14 Nov 2003 21:56:13 -0500

chkproc is in the same directory as chkrootkit, and judging from your
output--because it said you had 4 hidden processes--it's definitely there.
If it wasn't there, you would've just had the "Warning: Possible LKM Trojan
installed" without the hidden process count...

Stu

Tom wrote:

> Thanks for all the information, these explicit intructions are just
> what I needed!
>
> Rather ironically perhaps, I tried chkproc, but it says command not
> found. I am using v0.42 of chkrootkit.



Relevant Pages

  • LKM Trojan?
    ... When I run chkrootkit I get the following lines. ... chkproc: Warning: Possible LKM Trojan installed ... I suspect that my machine might be compromised. ...
    (freebsd-questions)
  • chkrootkir LKM Trojan ?
    ... The following suspicious files and directories were found: ... You have 3 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ... Running chkrootkit now and all is OK ...
    (Ubuntu)
  • Re: chkrootkit finds 94 process hidden for readdir
    ... You have 94 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ... Everything else was deemed clean by chkrootkit. ... media compared to the /usr/bin/su on the running install. ...
    (freebsd-stable)
  • chkrootkit finds 94 process hidden for readdir
    ... You have 94 process hidden for readdir command ... chkproc: Warning: Possible LKM Trojan installed ... Everything else was deemed clean by chkrootkit. ... media compared to the /usr/bin/su on the running install. ...
    (freebsd-stable)