Re: Test with Chkrootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 25 Jul 2004 12:14:46 -0400, Scot L. Harris wrote:

> On Sun, 2004-07-25 at 11:52, Norman Nunn wrote:
> > I got the following indicators:
> > 
> > ls INFECTED
> > 22 process hidden for readdir command 
> > 22 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> > 
> > The number of hidden command changes.
> > 
> > Thanks for your input.
> > 
> 
> chkrootkit reports 11 hidden processes on my laptop.  But that number
> may vary depending on what you are running.
> 
> Of more concern is the ls INFECTED output in your partial report.
> See if you can get a good copy of ls and compare the byte size, md5sum
> and permissions on it.  Below is what my system reports.  
> 
> -rwxr-xr-x  1 root root 80688 May  4 12:26 /bin/ls
> 
> md5sum /bin/ls
> d319011a3eb49338fe333753b0cfd7bc  /bin/ls
> 
> You need to track that down asap to figure out what that is.  
> 
> It has been awhile but I ran through the exercise to examine what
> processes were hidden.  I want to say it was the ones in []'s when you
> do a ps -eaf but I don't know if I remember that correctly.
> 
> I am sure someone here will set me straight on this.  :)

With chkrootkit comes a tool called "chkproc". Run it with option -v
and examine the listed processes via their hidden directories below
/proc, e.g.

  # cd /usr/lib/chkrootkit-0.43
  # ./chkproc -v
  4348 is a Linux Thread, marking as such...
  # cd /proc/4348



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux