On Thu, 17 Jun 2004 08:46:38 +0200 (CEST), Roger Grosswiler wrote: > hi, > > i let chkrootkit running and get the following: > > Checking `lkm'... You have 6 process hidden for readdir command > You have 6 process hidden for ps command > Warning: Possible LKM Trojan installed > > > does anybody have the same? could this be a false positive? Yes to the latter. chkrootkit doesn't support any special changes in the 2.6 kernel yet. This has been discussed before and should be in the archives. Run '/usr/lib/chkrootkit-0.43/chkproc -v', note the process IDs which are listed, and then via the /proc/$PID system examine the processes which are listed. You'll find that these are false positives, which are hidden, and 'ps -m' (and other options) don't find them either.
