Am Mittwoch, 3. Dezember 2003 10:03 schrieb Vanh Phom: > Hi folk, > After reading on report of servers compromised. Just for curiorsity I > run chkrootkit on my own machine and come up with this result: > > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... not infected > Checking `lkm'... You have 12 process hidden for readdir command > You have 12 process hidden for ps command > Warning: Possible LKM Trojan installed > Checking `rexedcs'... not found > Checking `sniffer'... > eth0: PROMISC > > Is my machine compromised? How to fix this?
Find out, who uses your eth0 interface in promiscous mode. Maybe you have programs like ntop or network analysers running. Switch them off and try again chkrootkit. 12 processes? On 2.2 kernel you should no such processes, on 2.4 4 processes seem to be 'normal'. You should find out details about 'LKM' (e.g. google), maybe consult www.chkrootkit.org. Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
