[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] chkrootkit keeps complaining about hidden processes

Subject: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sat, 2 Mar 2002 13:26:09 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Jelmer,

> Once in a while I get messages from chkrootkit mentioning:
>
> You have     5 process hidden for readdir command
> You have     5 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> where the number of processes differ. When I rerun the command myself, it
> usualy finds nothing at all.

Chkrootkit compares the processes in the /proc/  directory with those shown 
by the command "ps". If both outputs don't match, then it'll give alert. 
However, the comparision takes a few moments and if a  process ends (or a new 
one is started) during the comparision, then that will cause an false alarm.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

Follow-Ups:
- Re: [cobalt-security] chkrootkit keeps complaining about hidden processes
  - From: Jelmer Jellema

References:
- [cobalt-security] chkrootkit keeps complaining about hidden processes
  - From: Jelmer Jellema

Prev by Date: Re: [cobalt-security] Colbalt-RAQ-v4-Bugs&Vulnerabilities
Next by Date: Re: [cobalt-security] cracklib question
Previous by thread: [cobalt-security] chkrootkit keeps complaining about hidden processes
Next by thread: Re: [cobalt-security] chkrootkit keeps complaining about hidden processes

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index