On Tue, 2003-11-25 at 20:18, Johannes Graumann wrote: [...] > I was just running 'chkrootkit' and came across this warning: > > > Checking `lkm'... You have 4 process hidden for ps command > > Warning: Possible LKM Trojan installed [...] > I then went ahead and manually checked the output of 'ls -a /proc' > against that of 'ps -A' and found out, that there are 4 processes in > /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There > are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) > in existence that show a PID of 0. > Am I right to assume that this is not the lkm kit, but rather some > weiredness in PID assignment?
Yes. Well, rather to do with how `ps' handles the processes in question. > The same PID thing is happening on my testing/unstable laptop - > compromised as well or something else amiss in the distro, maybe related > to the server break ins? It's nothing at all to do with the compromise, and everything to do with <URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525> (`ps shows incorrect pid value') and <URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278> (`chkrootkit: doesn't work too well with kernel threads'). (FWIW, the bugs were filed 31 and 33 days ago, against procps and chkrootkit respectively, and <URL:http://bugs.debian.org/{procps,chkrootkit}> is currently operational, although lacking a record of activity since late last week.) Your machine is behaving no more strangely than thousands of other sarge/sid boxes. :-) Adam
