From owner-freebsd-security@FreeBSD.ORG Wed Nov 28 12:05:01 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB19416A420 for ; Wed, 28 Nov 2007 12:05:01 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 85D4913C467 for ; Wed, 28 Nov 2007 12:05:01 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 61D7E47086; Wed, 28 Nov 2007 06:49:27 -0500 (EST) Date: Wed, 28 Nov 2007 11:45:28 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: JP In-Reply-To: <200711200941.52719.johnpollock@bellsouth.net> Message-ID: <20071128114355.D80898@fledge.watson.org> References: <200711200941.52719.johnpollock@bellsouth.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 12:05:01 -0000 On Tue, 20 Nov 2007, JP wrote: > --and-- > Checking `lkm'... You have 131 process hidden for readdir command > chkproc: Warning: Possible LKM Trojan installed I wonder if it's trying to use procfs, which isn't mounted by default in FreeBSD, and as a result reporting that /proc is empty (which is expected). You could try mounting procfs and see if the message goes away, which would answer the question -- however, we don't generaly advise mounting procfs unless it is required, as it is a deprecated feature. Robert N M Watson Computer Laboratory University of Cambridge