On Sunday 25 July 2004 11:52, Norman Nunn wrote: >I got the following indicators: > >ls INFECTED >22 process hidden for readdir command >22 process hidden for ps command >Warning: Possible LKM Trojan installed
Yup, you've been rooted, pull the network cable and see if you can reboot to the distribution and refresh the other tools, like ls, top, and a bunch of others. You may have to get aquainted with a command called chattr because these jerks tend to set the immutable bit on their replacement versions.
>On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote: >> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote: >> > In checking the chkrootkit website, I noticed that chkrootkit >> > had not been tested (or completed testing) with the 2.6 kernel. >> > Is it reliable for FC2? I have some indicator that may prompt >> > me to do a fresh reinstall and would appreciate input before I >> > go to that effort. Clamscan did not pickup anything for me.
To further analyze the problem, run ./chkproc -v to get a list of the hidden processes, then run cat /proc/<pid>/cmd to see the processes that are hidden.
BTW, I'm using version 0.43 on a 2.6 kernel. Works fine, as far as I can tell.
