Re: Message in chkrootkit.

From: Doug Laidlaw (
Date: 07/09/05

Date: Sat, 09 Jul 2005 16:39:23 +1000

Bill Marcum wrote:

> On Fri, 08 Jul 2005 12:36:40 +1000, Doug Laidlaw
> <> wrote:
>> Using Mandrake 10.1 on ADSL with GuardDog. I KNOW that I am open to
>> hackers, at least. With my computer switched off, I could see the
>> incoming
>> data light up my ADSL modem. I am looking for a way to reformat
>> everything
>> yet keep essential data. In the meantime, I am keeping off the Net
>> except
>> for a few seconds. At least my Windows firewall allows access on a per
>> program basis.
>> But I am here to ask about what chkrootkit shows:
>> Checking `sniffer'... /proc/5728/fd: No such file or directory
>> That is the only result that isn't "not infected" or "nothing found".
>> Doing an ls on /proc/5728, I get:
>> ls: cannot read symbolic link cwd: No such file or directory
>> ls: cannot read symbolic link root: No such file or directory
>> ls: cannot read symbolic link exe: No such file or directory
>> attr/ cmdline environ fd/ mem root@ statm task/
>> auxv cwd@ exe@ maps mounts stat status wchan
>> Never really having looked at /proc before, I don't know if the broken
>> links are significant, but they are all suspicious.
> You didn't do ls -l to see the names of those nonexistent links?
Yes, I did, The other thing, as I noticed later, is that a directory ld/ is
listed there, but chkrootkit says it wasn't. Was it perhaps created in the

In the reinstalled system, the directory /proc/5728 doesn't exist. What are
the numbers? Process numbers perhaps? It is my newbie understanding that
everything in /proc represents something of the nature of a process. Top
started a minute or two ago was No. 13800, and the highest number in
"ls /proc" is 13896, so that seems right.

A lot of similar directories have those links and they are valid. Cwd and
root point to "//" where the first slash is blue (a directory) and the
second is gray. exe points to /sbin/init. I remember seeing those in
other directories at the time, but the ones in 5728 went nowhere. I didn't
realize the distinction at the time. The first directory I chose to look
at just now wasn't there, but the process may have gone in the interim.

Doug L.

ICQ Number 178748389. Registered Linux User No. 277548.
Black as the devil, hot as hell,
Pure as an angel, sweet as love.
        -- Talleyrand's recipe for coffee.