Date: Thu, 15 May 2003 10:45:36 +1000 From: Greg Lane <greg.lane@internode.on.net> To: freebsd-questions@freebsd.org Cc: Jason Stewart <jstewart@rtl.org> Subject: Re: chkrootkit: LKM trojan(?) and strange cron behaviour Message-ID: <20030515004536.GA79264@localhost.bigpond.net.au> In-Reply-To: <1052829803.4622.18.camel@mis3c> References: <20030513104721.GA24990@localhost.bigpond.net.au> <1052829803.4622.18.camel@mis3c>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 13, 2003 at 08:43:22AM -0400, Jason Stewart <jstewart@rtl.org> wrote: > <snip> > > Checking `lkm'... You have 1 process hidden for readdir command > > You have 1 process hidden for ps command > > Warning: Possible LKM Trojan installed > > > <snip> > > Has anyone ever seen this message from chkrootkit before and > > determined it was a false alarm? (Note that I am running stable > > and this is not the known problems with chkrootkit and current.) > > Hi Greg, > This could be a false alarm. I've had them before, and they seem to only > happen on the boxes that I have Apache running on. Hi Jason, Sorry for the delay in replying. I had to prepare a couple of lectures over the last two days. I am glad someone else has at least seen this before. I found virtually nothing when I went searching the lists. I presume that this has something to do with apache spawning processes in the middle of chkrootkit running? I don't really know though. (My web site is hardly very active!) > I would suggest > keeping your eye on the box very closely for a while to be safe. If > possible, monitor network traffic from another box for a while. I'm normally pretty good about monitoring things. I noticed this almost immediately. I've noticed no unusual traffic and an external portscan revealed nothing unusual either. > I would be concerned, but not alarmed. The thing that concerned me most was the fact that it happened near when cron decided to stop working. Have you (or anyone else for that matter) seen cron just stop like that? The process was there, but doing nothing. Again, a search of the lists got me a few hits but nothing obvious and nothing recent. Cheers, Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030515004536.GA79264>