Philippe Lasfargues wrote:
Philippe,------------------------------
Message: 16 Date: Wed, 01 Dec 2004 10:05:14 +1000 From: david walcroft <david_walcroft@xxxxxxxxxxxx> Subject: LKM Trojan To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx> Message-ID: <41AD0ABA.2010705@xxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi, yesterday chkrootkit logged this
Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed
Today it logs
Checking `lkm'... You have 4 process hidden for readdir command You have 4 process hidden for ps command Warning: Possible LKM Trojan installed
Would these be a 'false positive' or for real and if so how do I confirm and remove any infected process/trojan
Thanks david
------------------------------
Hi David,
Sometimes I have 64 process hidden for readdir command... with chkrootkit.
But nothing wrong with Rootkit Hunter 1.1.8. (http://www.rootkit.nl/)
Please try it and tell me.
Philippe
Yes I did exactly that and no LKM trojans but rkhunter isn't without its
minor hiccups :-
[14:23:38] Scanning for file /dev/dev/gaskit/sshd/sshdd... OK. Not found. [14:23:38] Scanning for directory /dev/dev... WARNING! Exists.
/usr/bin/rkhunter: line 1983: [: /var/rkhunter/tmp: binary operator expected /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory strings: Warning: '/var/rkhunter/tmp' is not an ordinary file strings: '/tmp/stringstest.dat': No such file /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory
These are from yesterdays logs - complaining about its own files and repeated
20 times, any ideas.
Thanks david
