| 1 |
HI, I have a potential security problem ... |
| 2 |
|
| 3 |
and err its not on gentoo, its on ubuntu but I am not getting any response |
| 4 |
there & you guys are the most tech bunch I know - Thought I would lay it on |
| 5 |
the table :) |
| 6 |
|
| 7 |
I just had an email from chkrootkit last night - |
| 8 |
|
| 9 |
--- |
| 10 |
|
| 11 |
The following suspicious files and directories were found: |
| 12 |
|
| 13 |
You have 3 process hidden for readdir command |
| 14 |
You have 3 process hidden for ps command |
| 15 |
chkproc: Warning: Possible LKM Trojan installed |
| 16 |
|
| 17 |
--- |
| 18 |
|
| 19 |
Running chkrootkit now and all is OK |
| 20 |
|
| 21 |
root@dave-comp:~# |
| 22 |
root@dave-comp:~# chkrootkit | grep chkproc |
| 23 |
Checking `lkm'... chkproc: nothing detected |
| 24 |
root@dave-comp:~# |
| 25 |
|
| 26 |
I have even 'sudo install --reinstall chkrootkit' in case its binarys have |
| 27 |
been modified (paranoid) |
| 28 |
|
| 29 |
Running rkhunter shows no problems |
| 30 |
|
| 31 |
I am at a bit off a loss and would value some advice / opinions. I can see two |
| 32 |
possibilities |
| 33 |
|
| 34 |
(a) I have a trojan, seems unlikely I am behind a netgear router firewall NAT |
| 35 |
with no incoming ports open. Running nothing more than samba, ssh and unison |
| 36 |
on the local network though I have to admit I have not hardened my system. |
| 37 |
|
| 38 |
(b) Its a false alarm - it is called by /etc/cron.daily so a lot of different |
| 39 |
scripts are called at the same time - though I have no idea what could have |
| 40 |
caused it. |
| 41 |
|
| 42 |
Any help / advice greatfully received |
| 43 |
|
| 44 |
Dave |
| 45 |
-- |
| 46 |
gentoo-user@g.o mailing list |
Archives