On Sun, 25 Jul 2004 12:14:46 -0400, Scot L. Harris wrote: > On Sun, 2004-07-25 at 11:52, Norman Nunn wrote: > > I got the following indicators: > > > > ls INFECTED > > 22 process hidden for readdir command > > 22 process hidden for ps command > > Warning: Possible LKM Trojan installed > > > > The number of hidden command changes. > > > > Thanks for your input. > > > > chkrootkit reports 11 hidden processes on my laptop. But that number > may vary depending on what you are running. > > Of more concern is the ls INFECTED output in your partial report. > See if you can get a good copy of ls and compare the byte size, md5sum > and permissions on it. Below is what my system reports. > > -rwxr-xr-x 1 root root 80688 May 4 12:26 /bin/ls > > md5sum /bin/ls > d319011a3eb49338fe333753b0cfd7bc /bin/ls > > You need to track that down asap to figure out what that is. > > It has been awhile but I ran through the exercise to examine what > processes were hidden. I want to say it was the ones in []'s when you > do a ps -eaf but I don't know if I remember that correctly. > > I am sure someone here will set me straight on this. :) With chkrootkit comes a tool called "chkproc". Run it with option -v and examine the listed processes via their hidden directories below /proc, e.g. # cd /usr/lib/chkrootkit-0.43 # ./chkproc -v 4348 is a Linux Thread, marking as such... # cd /proc/4348
