| 1 |
On Mon, Apr 4, 2011 at 3:08 PM, Mick <michaelkintzios@×××××.com> wrote: |
| 2 |
> You have 2 process hidden for readdir command |
| 3 |
> You have 3 process hidden for ps command |
| 4 |
> chkproc: Warning: Possible LKM Trojan installed |
| 5 |
|
| 6 |
I don't get this message when I run it, but looking at the source code |
| 7 |
it looks like the chkproc program reads /proc/ entries and compares it |
| 8 |
to the output of the ps command. |
| 9 |
|
| 10 |
The changelog was last updated in January 2006. So if anything in |
| 11 |
linux kernel /proc/ subsystem or the procps package has changed in the |
| 12 |
past 5 years then maybe you're getting a false positive... |
| 13 |
|
| 14 |
You might be able to do a quick manual comparison of the pids in |
| 15 |
/proc/ to the output of ps -A or something and see if anything jumps |
| 16 |
out at you. Of course ignore the pid of ls or ps when you're running |
| 17 |
it. :) |
| 18 |
|
| 19 |
If you're suspicious of your "ps" binary I would do "which ps" to be |
| 20 |
sure ps is the one you really expect. Maybe re-emerge procps to |
| 21 |
replace it, too. |
| 22 |
|
| 23 |
> The tty of the following user process(es) were not found |
| 24 |
> in /var/run/utmp ! |
| 25 |
> ! RUID PID TTY CMD |
| 26 |
|
| 27 |
I do get this message (with my X process listed below it) |
| 28 |
|
| 29 |
> however, rkhunter shows: |
| 30 |
> |
| 31 |
> Heroin LKM [ Not found ] |
| 32 |
> |
| 33 |
> Is this different to LKM Trojan mentioned above? |
| 34 |
|
| 35 |
I think LKM is just shorthand for "Loadable Kernel Module", not the |
| 36 |
name of any particular trojan. |
Archives