On Thursday 22 January 2004 05:05 pm, Felix C. Stegerman wrote: > Micha Feigin wrote: > > On Wed, Jan 21, 2004 at 05:09:08PM -0700, Nate Duehr wrote: > >>On Wednesday, Jan 21, 2004, at 16:38 America/Denver, David Sanders > >> > >>wrote: > >>>I just ran chkrootkit for the first time on a woody machine and > >>> got: > >>> > >>>Checking `lkm'... You have 1 process hidden for ps command > >>>Warning: Possible LKM Trojan installed > > <snip> > > >>>What are these warnings and what should I do? > >> > >>Of course you should take any and all warnings seriously until > >> proven otherwise, but I remember seeing that exact warning from a > >> fairly recently built box with a fairly new kernel on it and then > >> doing some Google searching and finding out that most modern > >> kernels will false a few warnings like that LKM Trojan warning > >> because of some setting I don't quite remember right now. > > > > Some of the kernel thread used to show up in ps as pid 0 but they > > are actually some higher pid and thus their actual pid doesn't show > > up in ps. Thats what used to cause the problem. It currently > > doesn't show that on my system, don't know when it was changed. > > > > Check the archives, there were several threads on the subject. > > Don't remember the command but there was one of the commands I > > think under /usr/lib/chkrootkit that showed which processes it > > thinks are lkm. Maybe someone else can help. > > <snip> > > # chkrootkit -x lkm > > Regards, > > > Felix I upgraded to version 0.43 of chkrootkit and the LKM hit went away, now I am getting:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient-2.2.x) Is this a problem? -- David Sanders [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
