On Mon, 2003-05-26 at 23:27, IC0N wrote: > > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > Sometimes I get 2 or 3 processes, sometimes NONE > If a process is created between the output of ps and the readdir then you will see this sort of output from chkrootkit. However, run chkrootkit several times and if the hidden process number is the same each time then you should be more suspicious.
If you consistently get the same hidden process number then try changing into its directory in /proc. Eg. if process 26262 is hidden then try accessing the directory /proc/26262 If the directory exists then you may be dealing with a lkm trojan. Regards. Mark.
signature.asc
Description: This is a digitally signed message part
