On Sunday 25 July 2004 11:52, Norman Nunn wrote: >I got the following indicators: > >ls INFECTED >22 process hidden for readdir command >22 process hidden for ps command >Warning: Possible LKM Trojan installed Yup, you've been rooted, pull the network cable and see if you can reboot to the distribution and refresh the other tools, like ls, top, and a bunch of others. You may have to get aquainted with a command called chattr because these jerks tend to set the immutable bit on their replacement versions. >The number of hidden command changes. > >Thanks for your input. > >Norm > >On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote: >> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote: >> > In checking the chkrootkit website, I noticed that chkrootkit >> > had not been tested (or completed testing) with the 2.6 kernel. >> > Is it reliable for FC2? I have some indicator that may prompt >> > me to do a fresh reinstall and would appreciate input before I >> > go to that effort. Clamscan did not pickup anything for me. >> > >> > Norm >> >> What is the indication you are getting? >> >> Is it processes that appear to be hidden? >> >> I believe that is a known issue. If you investigate further I >> believe those processes are fine. chkrootkit does need to be >> updated/modified to correctly identify those processes. >> >> -- >> Scot L. Harris >> webid@xxxxxxxxxx >> >> Nothing is more admirable than the fortitude with which >> millionaires tolerate the disadvantages of their wealth. >> -- Nero Wolfe -- Cheers, Gene There are 4 boxes to be used in defense of liberty. Soap, ballot, jury, and ammo. Please use in that order, starting now. -Ed Howdershelt, Author Additions to this message made by Gene Heskett are Copyright 2004, Maurice E. Heskett, all rights reserved.
