------------------------------
Message: 16 Date: Wed, 01 Dec 2004 10:05:14 +1000 From: david walcroft david_walcroft@yahoo.com.au Subject: LKM Trojan To: For users of Fedora Core releases fedora-list@redhat.com Message-ID: 41AD0ABA.2010705@yahoo.com.au Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi, yesterday chkrootkit logged this
Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed
Today it logs
Checking `lkm'... You have 4 process hidden for readdir command You have 4 process hidden for ps command Warning: Possible LKM Trojan installed
Would these be a 'false positive' or for real and if so how do I confirm and remove any infected process/trojan
Thanks david
------------------------------
Hi David,
Sometimes I have 64 process hidden for readdir command... with chkrootkit. But nothing wrong with Rootkit Hunter 1.1.8. (http://www.rootkit.nl/)
Please try it and tell me.
Philippe
Philippe Lasfargues wrote:
Message: 16 Date: Wed, 01 Dec 2004 10:05:14 +1000 From: david walcroft david_walcroft@yahoo.com.au Subject: LKM Trojan To: For users of Fedora Core releases fedora-list@redhat.com Message-ID: 41AD0ABA.2010705@yahoo.com.au Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi, yesterday chkrootkit logged this
Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed
Today it logs
Checking `lkm'... You have 4 process hidden for readdir command You have 4 process hidden for ps command Warning: Possible LKM Trojan installed
Would these be a 'false positive' or for real and if so how do I confirm and remove any infected process/trojan
Thanks david
Hi David,
Sometimes I have 64 process hidden for readdir command... with chkrootkit. But nothing wrong with Rootkit Hunter 1.1.8. (http://www.rootkit.nl/)
Please try it and tell me.
Philippe
Philippe, Yes I did exactly that and no LKM trojans but rkhunter isn't without its minor hiccups :-
[14:23:38] Scanning for file /dev/dev/gaskit/sshd/sshdd... OK. Not found. [14:23:38] Scanning for directory /dev/dev... WARNING! Exists.
/usr/bin/rkhunter: line 1983: [: /var/rkhunter/tmp: binary operator expected /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory strings: Warning: '/var/rkhunter/tmp' is not an ordinary file strings: '/tmp/stringstest.dat': No such file /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory
These are from yesterdays logs - complaining about its own files and repeated 20 times, any ideas.
Thanks david
On Thu, 02 Dec 2004 12:33:11 +1000, david walcroft david_walcroft@yahoo.com.au wrote:
Philippe, Yes I did exactly that and no LKM trojans but rkhunter isn't without its minor hiccups :-
[14:23:38] Scanning for file /dev/dev/gaskit/sshd/sshdd... OK. Not found. [14:23:38] Scanning for directory /dev/dev... WARNING! Exists.
/usr/bin/rkhunter: line 1983: [: /var/rkhunter/tmp: binary operator expected /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory strings: Warning: '/var/rkhunter/tmp' is not an ordinary file strings: '/tmp/stringstest.dat': No such file /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory
These are from yesterdays logs - complaining about its own files and repeated 20 times, any ideas.
file a bug report
Bernd Radinger wrote:
On Thu, 02 Dec 2004 12:33:11 +1000, david walcroft david_walcroft@yahoo.com.au wrote:
Philippe, Yes I did exactly that and no LKM trojans but rkhunter isn't without its minor hiccups :-
[14:23:38] Scanning for file /dev/dev/gaskit/sshd/sshdd... OK. Not found. [14:23:38] Scanning for directory /dev/dev... WARNING! Exists.
/usr/bin/rkhunter: line 1983: [: /var/rkhunter/tmp: binary operator expected /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory strings: Warning: '/var/rkhunter/tmp' is not an ordinary file strings: '/tmp/stringstest.dat': No such file /usr/bin/rkhunter: line 2075: /var/rkhunter/tmp /tmp/stringstest.dat: No such file or directory
These are from yesterdays logs - complaining about its own files and repeated 20 times, any ideas.
file a bug report
bug report sent to www.rootkit.nl 2004-12-03 16:19 (.au time)
david
On Friday 03 December 2004 14:20, david walcroft wrote:
(.au time)
There's about five of those at this time of year:-)
-
Bernd Radinger -
david walcroft -
John Summerfield -
Philippe Lasfargues