Security Incidents mailing list archives

Re: chkrootkit and LKM?

From: Ali-Reza Anghaie <ali () packetknife com>
Date: Mon, 16 Jun 2003 21:26:42 -0400

On Monday 16 June 2003 10:59, Janus N. wrote:

I using a RHL9 as my workstation. A few days ago I downloaded chkrootkit
and it consistently gives the same output (>20 hidden processes) when
checking for LKM rootkit:

Checking `lkm'... You have    38 process hidden for readdir command
Warning: Possible LKM Trojan installed

This is even after reboots. How can I check if this is actually the work
of the LKM? Or any other rootkit for that matter?


What does "chkrootkit -x lkm" return? If anything...

If it shows PIDs you'll want to hunt through /proc manually for those 
processes.

Cheers, -Ali

-- 
OpenPGP Key: 030E44E6
--
Was I helpful?:  http://svcs.affero.net/rm.php?r=packetknife
--
War is evil, but it is often the lesser evil. -- George Orwell

Attachment: _bin
Description: signature

Current thread:

chkrootkit and LKM? Janus N. (Jun 16)
- Re: chkrootkit and LKM? Ali-Reza Anghaie (Jun 16)
  - Re: chkrootkit and LKM? Janus N. (Jun 17)
  - Re: chkrootkit and LKM? Blade Runner (Jun 17)
    - Re: chkrootkit and LKM? Valdis . Kletnieks (Jun 18)
- Re: chkrootkit and LKM? Tim Greer (Jun 17)
  - RE: chkrootkit and LKM? Rob Shein (Jun 18)
    - Re: chkrootkit and LKM? Tim Greer (Jun 18)
    - RE: chkrootkit and LKM? Andrew Ruef (Jun 21)
    - Re: chkrootkit and LKM? Tim Greer (Jun 23)
- Re: chkrootkit and LKM? Nathan Dornquast (Jun 17)
- Re: chkrootkit and LKM? Guille -bisho- (Jun 17)

(Thread continues...)