1 |
On Mon, Apr 4, 2011 at 3:08 PM, Mick <michaelkintzios@×××××.com> wrote: |
2 |
> You have 2 process hidden for readdir command |
3 |
> You have 3 process hidden for ps command |
4 |
> chkproc: Warning: Possible LKM Trojan installed |
5 |
|
6 |
I don't get this message when I run it, but looking at the source code |
7 |
it looks like the chkproc program reads /proc/ entries and compares it |
8 |
to the output of the ps command. |
9 |
|
10 |
The changelog was last updated in January 2006. So if anything in |
11 |
linux kernel /proc/ subsystem or the procps package has changed in the |
12 |
past 5 years then maybe you're getting a false positive... |
13 |
|
14 |
You might be able to do a quick manual comparison of the pids in |
15 |
/proc/ to the output of ps -A or something and see if anything jumps |
16 |
out at you. Of course ignore the pid of ls or ps when you're running |
17 |
it. :) |
18 |
|
19 |
If you're suspicious of your "ps" binary I would do "which ps" to be |
20 |
sure ps is the one you really expect. Maybe re-emerge procps to |
21 |
replace it, too. |
22 |
|
23 |
> The tty of the following user process(es) were not found |
24 |
> in /var/run/utmp ! |
25 |
> ! RUID PID TTY CMD |
26 |
|
27 |
I do get this message (with my X process listed below it) |
28 |
|
29 |
> however, rkhunter shows: |
30 |
> |
31 |
> Heroin LKM [ Not found ] |
32 |
> |
33 |
> Is this different to LKM Trojan mentioned above? |
34 |
|
35 |
I think LKM is just shorthand for "Loadable Kernel Module", not the |
36 |
name of any particular trojan. |