From owner-freebsd-security@FreeBSD.ORG Wed Nov 28 12:54:52 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC73C16A418 for ; Wed, 28 Nov 2007 12:54:52 +0000 (UTC) (envelope-from cordeiro@cert.br) Received: from woq.cert.br (woq.cert.br [200.160.7.2]) by mx1.freebsd.org (Postfix) with ESMTP id 6B66213C455 for ; Wed, 28 Nov 2007 12:54:52 +0000 (UTC) (envelope-from cordeiro@cert.br) Received: from luinil.cert.br (luinil.cert.br [200.160.7.67]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by woq.cert.br (Postfix) with ESMTP id 51CC82246D1 for ; Wed, 28 Nov 2007 10:36:33 -0200 (BRST) Received: from localhost.cert.br (localhost.cert.br [127.0.0.1]) by luinil.cert.br (Postfix) with ESMTP id EB5885C042 for ; Wed, 28 Nov 2007 10:36:32 -0200 (BRST) From: Luiz Eduardo Roncato Cordeiro Organization: Computer Emergency Response Team Brazil To: freebsd-security@freebsd.org Date: Wed, 28 Nov 2007 10:36:29 -0200 User-Agent: MUA References: <200711200941.52719.johnpollock@bellsouth.net> <20071128114355.D80898@fledge.watson.org> In-Reply-To: <20071128114355.D80898@fledge.watson.org> X-URL: http://www.cert.br MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200711281036.31180.cordeiro@cert.br> Subject: Re: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 12:54:52 -0000 Hi, On Wednesday, 28 de November de 2007, Robert Watson > wrote: > On Tue, 20 Nov 2007, JP wrote: > > > --and-- > > Checking `lkm'... You have 131 process hidden for readdir command > > chkproc: Warning: Possible LKM Trojan installed > > I wonder if it's trying to use procfs, which isn't mounted by default in > FreeBSD, and as a result reporting that /proc is empty (which is expected). > You could try mounting procfs and see if the message goes away, which would > answer the question -- however, we don't generaly advise mounting procfs > unless it is required, as it is a deprecated feature. In fact it's a bug in the chkproc. We are working on it to be fixed in the next chkrootkit version (0.48). Cordeiro > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >