chkrootkit: LKM trojan(?) and strange cron behaviour
Jason Stewart
jstewart at rtl.org
Tue May 13 05:43:13 PDT 2003
On Tue, 2003-05-13 at 06:47, Greg Lane wrote:
Nevertheless, I went further
> investigating and found an interesting message from chkrootkit
> at 3 am May 10 (2 days before):
>
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> That was the only abnormal message that night and everything was
> normal before this (for at least a month) and for the next two
> nights till cron died (I run chkrootkit from cron just before
> 3am each night).
>
> I just ran chkrootkit again and it reports nothing. I am building
> static executables on another stable machine at the moment so that
> I can run chkrootkit with known executables.
<snip>
> Has anyone ever seen this message from chkrootkit before and
> determined it was a false alarm? (Note that I am running stable
> and this is not the known problems with chkrootkit and current.)
Hi Greg,
This could be a false alarm. I've had them before, and they seem to only
happen on the boxes that I have Apache running on. I would suggest
keeping your eye on the box very closely for a while to be safe. If
possible, monitor network traffic from another box for a while.
> Would you be concerned?!?!?
I would be concerned, but not alarmed.
Jason
More information about the freebsd-questions
mailing list