[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] chkrootkit LKM Detection?
- Subject: Re: [cobalt-security] chkrootkit LKM Detection?
- From: "Antonio" <nino@xxxxxxxxxxx>
- Date: Sun, 5 Oct 2003 17:38:32 -0300
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Try "chkrootkit -x lkm", it will list the "hidden process" ... Sometimes
depending on CPU and disk load, chkrootkit on our racks lists even
"sendmail", "inet" and many other usual system process as hidden ... The
"chkproc" program compares the "ps" output with the "/proc" contents, so If
the process ends before the program finish the checking routine it can list
the process as hidden or suspicious ... hope this helps ...
[]'s
Nino
----- Original Message -----
From: "James Zawacki" <jzawacki@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Sunday, October 05, 2003 12:49 PM
Subject: [cobalt-security] chkrootkit LKM Detection?
> Hello, Just out of the blue, I've just started receiving these in my
chkrootkit output some nights. Other nights it doesn't show up.
>
> <snip>
> Checking `lkm'... You have 2 process hidden for readdir command
> You have 2 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0 is not promisc
> </snip>
>
> Now, from my research, it soulds like it's common under RedHat? But, why
did it just start happening, and why only on this box? None of my other
Raq4's are showing this.
>
> Thanks,
> James
>
>
>
>
> ---------------------------------------------------------------
> http://www.customlynx.com - Low cost web authoring and hosting!
> Get your FREE E-mail address or give them out! (culymail.com)
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>