-----Original Message----- From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of V Jordan Sent: Friday, March 07, 2003 7:50 PM To: Cobalt Securoty Mailing List Subject: [cobalt-security] I think this may be an issue chkroot gave this email message. `bindshell'... not infected Checking `lkm'... You have 2 process hidden for readdir command You have 2 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found how would I verify if this is true? [root sbin]# ./chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 1: not in ps output CWD 1: / EXE 1: /sbin/init PID 2: not in ps output CWD 2: / EXE 2: / PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / PID 7: not in ps output CWD 7: / EXE 7: / PID 8: not in ps output CWD 8: / EXE 8: / PID 9: not in ps output CWD 9: / EXE 9: / PID 342: not in ps output CWD 342: / EXE 342: /sbin/syslogd PID 351: not in ps output CWD 351: / EXE 351: /sbin/klogd PID 381: not in ps output CWD 381: /var/spool EXE 381: /usr/sbin/crond PID 393: not in ps output CWD 393: / EXE 393: /usr/sbin/inetd PID 422: not in ps output CWD 422: /etc/named EXE 422: /usr/sbin/named PID 427: not in ps output CWD 427: / EXE 427: /usr/sbin/sshd PID 437: not in ps output CWD 437: / EXE 437: /usr/sbin/httpd.admsrv PID 459: not in ps output CWD 459: / EXE 459: /usr/sbin/httpd.admsrv PID 526: not in ps output CWD 526: / EXE 526: /usr/bin/postgres PID 591: not in ps output CWD 591: /home/chiliasp/asp-apache-3000 EXE 591: /home/chiliasp/asp-apache-3000/caspd PID 592: not in ps output CWD 592: /home/chiliasp/asp-apache-3000 EXE 592: /home/chiliasp/asp-apache-3000/caspd PID 593: not in ps output CWD 593: /home/chiliasp/asp-apache-3000 EXE 593: /home/chiliasp/asp-apache-3000/caspd PID 595: not in ps output CWD 595: /home/chiliasp/asp-apache-3000 EXE 595: /home/chiliasp/asp-apache-3000/caspeng PID 634: not in ps output CWD 634: /home/chiliasp/asp-apache-3000 EXE 634: /home/chiliasp/asp-apache-3000/caspeng PID 635: not in ps output CWD 635: /home/chiliasp/asp-apache-3000 EXE 635: /home/chiliasp/asp-apache-3000/caspeng PID 637: not in ps output CWD 637: /home/chiliasp/asp-apache-3000 EXE 637: /home/chiliasp/asp-apache-3000/caspeng PID 639: not in ps output CWD 639: /home/chiliasp/asp-apache-3000 EXE 639: /home/chiliasp/asp-apache-3000/caspeng PID 643: not in ps output CWD 643: /home/chiliasp/asp-apache-3000 EXE 643: /home/chiliasp/asp-apache-3000/caspeng PID 646: not in ps output CWD 646: /home/chiliasp/asp-apache-3000 EXE 646: /home/chiliasp/asp-apache-3000/caspeng PID 648: not in ps output CWD 648: / EXE 648: /bin/bash PID 672: not in ps output CWD 672: / EXE 672: /usr/bin/perl PID 679: not in ps output CWD 679: /home/mysql EXE 679: /usr/sbin/mysqld PID 684: not in ps output CWD 684: /home/mysql EXE 684: /usr/sbin/mysqld PID 685: not in ps output CWD 685: /home/mysql EXE 685: /usr/sbin/mysqld PID 700: not in ps output CWD 700: / EXE 700: /sbin/lcdsleep PID 724: not in ps output CWD 724: / EXE 724: /usr/sbin/portsentry PID 726: not in ps output CWD 726: / EXE 726: /usr/sbin/portsentry PID 760: not in ps output CWD 760: / EXE 760: /sbin/getty PID 797: not in ps output CWD 797: / EXE 797: /usr/sbin/httpd.admsrv PID 802: not in ps output CWD 802: / EXE 802: /usr/sbin/httpd.admsrv PID 1008: not in ps output CWD 1008: / EXE 1008: /usr/sbin/httpd PID 1009: not in ps output CWD 1009: / EXE 1009: /usr/sbin/httpd PID 1010: not in ps output CWD 1010: / EXE 1010: /usr/sbin/httpd PID 1011: not in ps output CWD 1011: / EXE 1011: /usr/sbin/httpd PID 1012: not in ps output CWD 1012: / EXE 1012: /usr/sbin/httpd PID 1632: not in ps output CWD 1632: / EXE 1632: /usr/sbin/httpd PID 2126: not in ps output CWD 2126: / EXE 2126: /usr/sbin/httpd PID 5432: not in ps output CWD 5432: / EXE 5432: /usr/sbin/sshd PID 5453: not in ps output CWD 5453: / EXE 5453: /usr/sbin/sshd PID 5454: not in ps output CWD 5454: /usr/local/sbin EXE 5454: /bin/bash PID 7875: not in ps output CWD 7875: /usr/local/sbin EXE 7875: /bin/su PID 7876: not in ps output CWD 7876: /usr/local/sbin EXE 7876: /bin/bash PID 7898: not in ps output CWD 7898: /usr/local/sbin EXE 7898: /bin/bash PID 7929: not in ps output CWD 7929: /usr/local/sbin EXE 7929: /bin/bash PID 7930: not in ps output CWD 7930: /usr/local/sbin EXE 7930: /bin/bash PID 7931: not in ps output CWD 7931: /proc/7931 EXE 7931: /usr/local/sbin/chkproc PID 9845: not in ps output CWD 9845: /home/spool/mqueue EXE 9845: /usr/sbin/sendmail PID 23073: not in ps output CWD 23073: / EXE 23073: /usr/sbin/httpd You have 57 process hidden for ps command [root sbin]# V Jordan MSL Internet Solutions Box 154 Davidsville Pa 15928 814-471-8195 http://www.mslnetworks.net
Attachment:
smime.p7s
Description: S/MIME cryptographic signature