Re: chkrootkit output
From: John Gallet (john.gallet_at_wanadoo.fr)
Date: 10/08/04
- Next message: Bit Twister: "Re: Chkrootkit - can't find 'strings'"
- Previous message: Tim Haynes: "Re: Chkrootkit - can't find 'strings'"
- In reply to: Oliver Gobin: "Re: chkrootkit output"
- Next in thread: Oliver Gobin: "Re: chkrootkit output"
- Reply: Oliver Gobin: "Re: chkrootkit output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Oct 2004 12:02:47 +0200
Hi,
> | # chkproc -v -v
> | PID 14894(/proc/14894): not in readdir output
> | PID 14894: not in ps output
> | CWD 14894: /
> | EXE : /sbin/init
> | You have 1 process hidden for readdir command
> | You have 1 process hidden for ps command
> | SIGINVISIBLE Adore found
> ... and "chkrootkit" says:
> | Checking `init'... not infected
> So everything seems to be alright :)
I would not conclude immediatly this way.
First try to see if 14894 is listed in /proc for example with
ls /proc |grep 14984
If it is not listed, but if the command ls /proc/14984 does return
results, it does not smell good. Look then at the various files around,
especially cmdline and cwd to see what's running. If checkrootkit says
you are infected with "SIGINVISIBLE Adore" you should double-check with
rootkit-hunter www.rootkit.nl
HTH
JG
PS : article posted and mailed as I am 2 days late...
- Next message: Bit Twister: "Re: Chkrootkit - can't find 'strings'"
- Previous message: Tim Haynes: "Re: Chkrootkit - can't find 'strings'"
- In reply to: Oliver Gobin: "Re: chkrootkit output"
- Next in thread: Oliver Gobin: "Re: chkrootkit output"
- Reply: Oliver Gobin: "Re: chkrootkit output"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
