Test with Chkrootkit
Scot L. Harris
webid at cfl.rr.com
Sun Jul 25 16:14:46 UTC 2004
On Sun, 2004-07-25 at 11:52, Norman Nunn wrote:
> I got the following indicators:
>
> ls INFECTED
> 22 process hidden for readdir command
> 22 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> The number of hidden command changes.
>
> Thanks for your input.
>
chkrootkit reports 11 hidden processes on my laptop. But that number
may vary depending on what you are running.
Of more concern is the ls INFECTED output in your partial report.
See if you can get a good copy of ls and compare the byte size, md5sum
and permissions on it. Below is what my system reports.
-rwxr-xr-x 1 root root 80688 May 4 12:26 /bin/ls
md5sum /bin/ls
d319011a3eb49338fe333753b0cfd7bc /bin/ls
You need to track that down asap to figure out what that is.
It has been awhile but I ran through the exercise to examine what
processes were hidden. I want to say it was the ones in []'s when you
do a ps -eaf but I don't know if I remember that correctly.
I am sure someone here will set me straight on this. :)
--
Scot L. Harris
webid at cfl.rr.com
Advancement in position.
More information about the users
mailing list