Hi. Chkrootkit gave me the following message:
Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed So I did: # chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / You have 4 process hidden for ps command I poked around, and the dirs exist in /proc and contain nothing unusual (as far as I can see, which may not be far :) The box is running "unstable", and I have apache installed along with openssl (I keep the box up to date as much as possible). Apache has been flaky lately, it doesn't start normally and '/etc/init.d/apache start|restart' doesn't work. 'apache -X' reveals that it is actually segfaulting. I usually start apache like this: 'apache -f /etc/apache/httpd-ssl' which works fine. I'm not sure if this means I've been cracked through apache, but something is not right. I'm used to things being odd running unstable, and some handywork is sometimes needed after a major upgrade, but apache has been like this for a long time now. The funny thing is that the PIDs in question here are so low. Moreover, they're actually not hidden from ps, just set to 0 (impossible). Here's a short snippet of the output from 'ps uax': # ps uax USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.3 1460 448 ? S 11:07 0:08 init [2] root 2 0.0 0.0 0 0 ? SW 11:07 0:00 [keventd] root 0 0.0 0.0 0 0 ? SWN 11:07 0:00 [ksoftirqd_CPU0] root 0 0.0 0.0 0 0 ? SW 11:07 0:00 [kswapd] root 0 0.0 0.0 0 0 ? SW 11:07 0:00 [bdflush] root 0 0.0 0.0 0 0 ? SW 11:07 0:00 [kupdated] root 7 0.0 0.0 0 0 ? SW 11:07 0:00 [pagebufd] root 8 0.0 0.0 0 0 ? SW 11:07 0:00 [xfslogd/0] root 9 0.0 0.0 0 0 ? SW 11:07 0:00 [xfsdatad/0] root 10 0.0 0.0 0 0 ? SW 11:07 0:00 [kjournald] As shown, PIDs 3,4,5 and 6 are set to 0 I don't know what this means, but I have it on two boxes (the other one is not running apache, but may very well be compromised through the first box). I hope someone can shed some light on this. Regards, nikolai. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
