Michael, chkproc produced the same 22 hidden programs that chkrootkit before I upgraded to chkrootkit-043. Norm On Sun, 2004-07-25 at 10:09, Michael Schwendt wrote: > On Sun, 25 Jul 2004 12:14:46 -0400, Scot L. Harris wrote: > > > On Sun, 2004-07-25 at 11:52, Norman Nunn wrote: > > > I got the following indicators: > > > > > > ls INFECTED > > > 22 process hidden for readdir command > > > 22 process hidden for ps command > > > Warning: Possible LKM Trojan installed > > > > > > The number of hidden command changes. > > > > > > Thanks for your input. > > > > > > > chkrootkit reports 11 hidden processes on my laptop. But that number > > may vary depending on what you are running. > > > > Of more concern is the ls INFECTED output in your partial report. > > See if you can get a good copy of ls and compare the byte size, md5sum > > and permissions on it. Below is what my system reports. > > > > -rwxr-xr-x 1 root root 80688 May 4 12:26 /bin/ls > > > > md5sum /bin/ls > > d319011a3eb49338fe333753b0cfd7bc /bin/ls > > > > You need to track that down asap to figure out what that is. > > > > It has been awhile but I ran through the exercise to examine what > > processes were hidden. I want to say it was the ones in []'s when you > > do a ps -eaf but I don't know if I remember that correctly. > > > > I am sure someone here will set me straight on this. :) > > With chkrootkit comes a tool called "chkproc". Run it with option -v > and examine the listed processes via their hidden directories below > /proc, e.g. > > # cd /usr/lib/chkrootkit-0.43 > # ./chkproc -v > 4348 is a Linux Thread, marking as such... > # cd /proc/4348 >
