Test with Chkrootkit
John Dangler
jdangler at atlantic.net
Sun Jul 25 22:48:59 UTC 2004
-----Original Message-----
From: fedora-list-bounces at redhat.com [mailto:fedora-list-bounces at redhat.com]
On Behalf Of Geoffrey Leach
Sent: Sunday, July 25, 2004 6:27 PM
To: For users of Fedora Core releases
Subject: Re: Test with Chkrootkit
On 07.25 13:44, Gene Heskett wrote:
> On Sunday 25 July 2004 11:52, Norman Nunn wrote:
> >I got the following indicators:
> >
> >ls INFECTED
> >22 process hidden for readdir command
> >22 process hidden for ps command
> >Warning: Possible LKM Trojan installed
>
> Yup, you've been rooted, pull the network cable and see if you can
> reboot to the distribution and refresh the other tools, like ls, top,
> and a bunch of others. You may have to get aquainted with a command
> called chattr because these jerks tend to set the immutable bit on
> their replacement versions.
>
> >On Sun, 2004-07-25 at 08:43, Scot L. Harris wrote:
> >> On Sun, 2004-07-25 at 11:36, Norman Nunn wrote:
> >> > In checking the chkrootkit website, I noticed that chkrootkit
> >> > had not been tested (or completed testing) with the 2.6 kernel.
> >> > Is it reliable for FC2? I have some indicator that may prompt
> >> > me to do a fresh reinstall and would appreciate input before I
> >> > go to that effort. Clamscan did not pickup anything for me.
>To further analyze the problem, run ./chkproc -v to get a list of the
>hidden processes, then run cat /proc/<pid>/cmd to see the processes
>that are hidden.
cat /proc/<pid>/cmdline...
I just installed chkrootkit and I got the " Warning: Possible LKM Trojan
installed". So I ran the chkproc, and then ran 'cat /proc/<pid>/cmdline on
the processes. Nothing looks out of place. I'm running 2.6.6 FC2. Of the
8 hidden processes, 3 have turned up
"nautilus--no-default-window--sm-client-iddefault3"
Not sure what these are, but everything else turned up "not infected"
Thanks for the tip about chkrootkit. I'm also looking into clamav...
Regards,
John
BTW, I'm using version 0.43 on a 2.6 kernel. Works fine, as far as I
can tell.
--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
More information about the users
mailing list