On Mon, Apr 4, 2011 at 3:08 PM, Mick <michaelkintz...@gmail.com> wrote: > You have 2 process hidden for readdir command > You have 3 process hidden for ps command > chkproc: Warning: Possible LKM Trojan installed
I don't get this message when I run it, but looking at the source code it looks like the chkproc program reads /proc/ entries and compares it to the output of the ps command. The changelog was last updated in January 2006. So if anything in linux kernel /proc/ subsystem or the procps package has changed in the past 5 years then maybe you're getting a false positive... You might be able to do a quick manual comparison of the pids in /proc/ to the output of ps -A or something and see if anything jumps out at you. Of course ignore the pid of ls or ps when you're running it. :) If you're suspicious of your "ps" binary I would do "which ps" to be sure ps is the one you really expect. Maybe re-emerge procps to replace it, too. > The tty of the following user process(es) were not found > in /var/run/utmp ! > ! RUID PID TTY CMD I do get this message (with my X process listed below it) > however, rkhunter shows: > > Heroin LKM [ Not found ] > > Is this different to LKM Trojan mentioned above? I think LKM is just shorthand for "Loadable Kernel Module", not the name of any particular trojan.
