On Tue, 25 Nov 2003, Johannes Graumann wrote: > Hello, > > This is a testing/unstable system. > > I was just running 'chkrootkit' and came across this warning: > > > Checking `lkm'... You have 4 process hidden for ps command > > Warning: Possible LKM Trojan installed > > I did some reading and made sure the number is not changing (due to > running 'chkrootkit' while new processes are started and /proc and 'ps' > are not syncronized) - it remains 4. > I then went ahead and manually checked the output of 'ls -a /proc' > against that of 'ps -A' and found out, that there are 4 processes in > /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There > are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) > in existence that show a PID of 0. > Am I right to assume that this is not the lkm kit, but rather some > weiredness in PID assignment? > > The same PID thing is happening on my testing/unstable laptop - > compromised as well or something else amiss in the distro, maybe related > to the server break ins?
Are you running 2.6, or the backported TLS patches on 2.4?
