On Wed, Oct 29, 2003 at 09:11:24PM -0500, Phillip Hofmeister wrote: > I think there is a race condition that was discussed before about > rootkit checkers. First it reads in data from the PS command. It then > stores this data in a buffer. Then it reads /proc (or visa-versa, I > forget the order). It then compares the two places. >
I think the explanation is a little simpler. Check out this bug in procps: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525 Basically ps reports a couple PIDs as zero. This then confuses chkrootkit when I compares. Scott Wehrenberg
