Chkrootkit anomaly
Sean Page
Sean.Page at epsb.ca
Wed Aug 27 08:25:14 PDT 2003
Hey, that's exactly what I was looking for.
Thanks Dave.
Sean.
-----Original Message-----
From: Dave [Hawk-Systems] [mailto:dave at hawk-systems.com]
Sent: August 27, 2003 9:13 AM
To: Sean Page; freebsd-questions at freebsd.org
Subject: RE: Chkrootkit anomaly
>Since there have already been a couple of questions on this I thought
>I'd see if anyone could shed some light on something I've noticed since
>I started running chkrootkit. It runs every 15 minutes (overkill? Nah.)
>in quiet mode to cut down on noise in the logs, and sporadically I get
>these
>notifications:
>
>You have 1 process hidden for readdir command
>You have 1 process hidden for ps command
>Warning: Possible LKM Trojan installed
>
>These messages will appear only on the odd occasion, seemingly
>completely at random. False positives or very crafty rootkit?
>Any advice would be greatly appreciated!
http://www.chkrootkit.org/
FAQ item #6 is what you are intersted in, although it isn't clear.
The problem is that processes are ending before it can check it, thus they
are incorrectly tagged as hidden and result in a false positive. There are
better resources regarding this (researched it a few months ago) but that is
roughly the gist of it.
Dave
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list