Hello! I have got a problem with chkrootkit, too (refering to http:// lists.debian.org/debian-security/2003/debian-security-200310/msg00204.html):
ai1:# chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / You have 4 process hidden for ps command A reboot does not solve the problem. I use an actual sid with kernel 2.4.22 from package kernel-source- 2.4.22-3. Before PID 3 are starting PID 1 init (of course) and PID 2 keventd Does this look like a rootkit and what is to do? Thanks! - Matthias P.S.: /proc/X/status have following contents: Name: ksoftirqd_CPU0 State: S (sleeping) Tgid: 0 Pid: 3 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: SigPnd: 0000000000000000 SigBlk: ffffffffffffffff SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff Name: kswapd State: S (sleeping) Tgid: 0 Pid: 4 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: SigPnd: 0000000000000000 SigBlk: ffffffffffffffff SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff Name: bdflush State: S (sleeping) Tgid: 0 Pid: 5 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: SigPnd: 0000000000000000 SigBlk: ffffffffffffffff SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff Name: kupdated State: S (sleeping) Tgid: 0 Pid: 6 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: SigPnd: 0000000000000000 SigBlk: fffffffffff9ffff SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff
