-----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx] On Behalf Of Geoffrey Leach Sent: Sunday, July 25, 2004 6:27 PM To: For users of Fedora Core releases Subject: Re: Test with Chkrootkit On 07.25 13:44, Gene Heskett wrote: > On Sunday 25 July 2004 11:52, Norman Nunn wrote: > >I got the following indicators: > > > >ls INFECTED > >22 process hidden for readdir command > >22 process hidden for ps command > >Warning: Possible LKM Trojan installed > > Yup, you've been rooted, pull the network cable and see if you can > reboot to the distribution and refresh the other tools, like ls, top, > and a bunch of others. You may have to get aquainted with a command > called chattr because these jerks tend to set the immutable bit on > their replacement versions. > > >On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote: > >> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote: > >> > In checking the chkrootkit website, I noticed that chkrootkit > >> > had not been tested (or completed testing) with the 2.6 kernel. > >> > Is it reliable for FC2? I have some indicator that may prompt > >> > me to do a fresh reinstall and would appreciate input before I > >> > go to that effort. Clamscan did not pickup anything for me. >To further analyze the problem, run ./chkproc -v to get a list of the >hidden processes, then run cat /proc/<pid>/cmd to see the processes >that are hidden. cat /proc/<pid>/cmdline... I just installed chkrootkit and I got the " Warning: Possible LKM Trojan installed". So I ran the chkproc, and then ran 'cat /proc/<pid>/cmdline on the processes. Nothing looks out of place. I'm running 2.6.6 FC2. Of the 8 hidden processes, 3 have turned up "nautilus--no-default-window--sm-client-iddefault3" Not sure what these are, but everything else turned up "not infected" Thanks for the tip about chkrootkit. I'm also looking into clamav... Regards, John BTW, I'm using version 0.43 on a 2.6 kernel. Works fine, as far as I can tell. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list