[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] SuSE 9.1 Pro and Chkrootkit
We have seen this question before.
somehow ps is probably not giving the right answers to chkrootkit.
On Sunday 02 May 2004 13:15, Stefan Onken wrote:
> Checking `lkm'... You have 8 process hidden for readdir command
> You have 8 process hidden for ps command
> Warning: Possible LKM Trojan installed
Below my message of the 10th of feb.
> > Is this an issue or is chkroot being fooled by the newer version?
> > I'm also curious about the "Checking `lkm'... You have 5 process hidden
> > for ps command" result. Whats up with that?
> I don't know what chkrootkit has with top, but the ps is broken I think.
> # ./chkrootkit -x lkm
> ROOTDIR is `/'
> ### Output of: ./chkproc -v -v
> PID 4: not in ps output
> CWD 4: /
> EXE 4: /
> PID 5: not in ps output
> CWD 5: /
> EXE 5: /
> PID 6: not in ps output
> CWD 6: /
> EXE 6: /
> PID 7: not in ps output
> CWD 7: /
> EXE 7: /
> PID 8: not in ps output
> CWD 8: /
> EXE 8: /
> You have 5 process hidden for ps command# ps ax
> And now ps ax (not the whole thing)
> PID TTY STAT TIME COMMAND
> 1 ? S 0:04 init 
> 2 ? SW 0:00 [keventd]
> 3 ? SW 0:00 [kapmd]
> 0 ? SWN 0:00 [ksoftirqd_CPU0]
> 0 ? SW 0:02 [kswapd]
> 0 ? SW 0:00 [bdflush]
> 0 ? SW 0:00 [kupdated]
> 0 ? SW 0:00 [kinoded]
> 9 ? SW 0:00 [mdrecoveryd]
> 17 ? SW< 0:00 [lvm-mpd]
> 25 ? SW 0:01 [kjournald]
> ps gives a pid of 0 for 5 processes.
> So that ps version has a bug.
> BB, Arjen
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here