Re: Test with Chkrootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael, chkproc produced the same 22 hidden programs that chkrootkit
before I upgraded to chkrootkit-043.

Norm

On Sun, 2004-07-25 at 10:09, Michael Schwendt wrote:
> On Sun, 25 Jul 2004 12:14:46 -0400, Scot L. Harris wrote:
> 
> > On Sun, 2004-07-25 at 11:52, Norman Nunn wrote:
> > > I got the following indicators:
> > > 
> > > ls INFECTED
> > > 22 process hidden for readdir command 
> > > 22 process hidden for ps command
> > > Warning: Possible LKM Trojan installed
> > > 
> > > The number of hidden command changes.
> > > 
> > > Thanks for your input.
> > > 
> > 
> > chkrootkit reports 11 hidden processes on my laptop.  But that number
> > may vary depending on what you are running.
> > 
> > Of more concern is the ls INFECTED output in your partial report.
> > See if you can get a good copy of ls and compare the byte size, md5sum
> > and permissions on it.  Below is what my system reports.  
> > 
> > -rwxr-xr-x  1 root root 80688 May  4 12:26 /bin/ls
> > 
> > md5sum /bin/ls
> > d319011a3eb49338fe333753b0cfd7bc  /bin/ls
> > 
> > You need to track that down asap to figure out what that is.  
> > 
> > It has been awhile but I ran through the exercise to examine what
> > processes were hidden.  I want to say it was the ones in []'s when you
> > do a ps -eaf but I don't know if I remember that correctly.
> > 
> > I am sure someone here will set me straight on this.  :)
> 
> With chkrootkit comes a tool called "chkproc". Run it with option -v
> and examine the listed processes via their hidden directories below
> /proc, e.g.
> 
>   # cd /usr/lib/chkrootkit-0.43
>   # ./chkproc -v
>   4348 is a Linux Thread, marking as such...
>   # cd /proc/4348
> 



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux