Date: 13 May 2003 08:43:22 -0400 From: Jason Stewart <jstewart@rtl.org> To: greg.lane@internode.on.net Cc: freebsd-questions@freebsd.org Subject: Re: chkrootkit: LKM trojan(?) and strange cron behaviour Message-ID: <1052829803.4622.18.camel@mis3c> In-Reply-To: <20030513104721.GA24990@localhost.bigpond.net.au> References: <20030513104721.GA24990@localhost.bigpond.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2003-05-13 at 06:47, Greg Lane wrote: Nevertheless, I went further > investigating and found an interesting message from chkrootkit > at 3 am May 10 (2 days before): > > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > That was the only abnormal message that night and everything was > normal before this (for at least a month) and for the next two > nights till cron died (I run chkrootkit from cron just before > 3am each night). > > I just ran chkrootkit again and it reports nothing. I am building > static executables on another stable machine at the moment so that > I can run chkrootkit with known executables. <snip> > Has anyone ever seen this message from chkrootkit before and > determined it was a false alarm? (Note that I am running stable > and this is not the known problems with chkrootkit and current.) Hi Greg, This could be a false alarm. I've had them before, and they seem to only happen on the boxes that I have Apache running on. I would suggest keeping your eye on the box very closely for a while to be safe. If possible, monitor network traffic from another box for a while. > Would you be concerned?!?!? I would be concerned, but not alarmed. Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1052829803.4622.18.camel>