From owner-freebsd-stable@FreeBSD.ORG  Sun Dec 24 01:22:49 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 39FD116A40F
	for <freebsd-stable@freebsd.org>; Sun, 24 Dec 2006 01:22:49 +0000 (UTC)
	(envelope-from jhs@flat.berklix.net)
Received: from thin.berklix.org (thin.berklix.org [194.246.123.68])
	by mx1.freebsd.org (Postfix) with ESMTP id CA97913C43A
	for <freebsd-stable@freebsd.org>; Sun, 24 Dec 2006 01:22:48 +0000 (UTC)
	(envelope-from jhs@flat.berklix.net)
Received: from js.berklix.net (p549A4A56.dip.t-dialin.net [84.154.74.86])
	(authenticated bits=128)
	by thin.berklix.org (8.12.11/8.12.11) with ESMTP id kBO1MehL086336;
	Sun, 24 Dec 2006 02:22:41 +0100 (CET)
	(envelope-from jhs@flat.berklix.net)
Received: from fire.jhs.private (fire.jhs.private [192.168.91.41])
	by js.berklix.net (8.13.6/8.13.6) with ESMTP id kBO1MdOr022835;
	Sun, 24 Dec 2006 02:22:39 +0100 (CET)
	(envelope-from jhs@flat.berklix.net)
Received: from fire.jhs.private (localhost.jhs.private [127.0.0.1])
	by fire.jhs.private (8.13.6/8.13.6) with ESMTP id kBO1MdIf082773;
	Sun, 24 Dec 2006 02:22:39 +0100 (CET)
	(envelope-from jhs@fire.jhs.private)
Message-Id: <200612240122.kBO1MdIf082773@fire.jhs.private>
To: Ivan Voras <ivoras@fer.hr>
In-reply-to: <emkel7$hhe$1@sea.gmane.org> 
References: <7cf39bb60612231257p1a8a62c3g43a9da939306a59e@mail.gmail.com>
	<emkel7$hhe$1@sea.gmane.org>
Comments: In-reply-to Ivan Voras <ivoras@fer.hr>
	message dated "Sun, 24 Dec 2006 00:38:24 +0100."
Date: Sun, 24 Dec 2006 02:22:39 +0100
From: "Julian H. Stacey" <jhs@flat.berklix.net>
Cc: freebsd-stable@freebsd.org
Subject: Re: chkrootkit finds 94 process hidden for readdir 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Dec 2006 01:22:49 -0000

Ivan Voras wrote:
> Matthew Herzog wrote:
> 
> > I ran chkrootkit yesterday and saw this:
> > Checking `lkm'... You have    94 process hidden for readdir command
> > chkproc: Warning: Possible LKM Trojan installed
> 
> Does LKM stand for "Linux Kernel Module"? If so, no wonder the check has
> gone lala :)

No. Per
/usr/ports/security/chkrootkit/work/chkrootkit-0.46a/README:
Loadable Kernel Modules (LKM) trojan checking
Havent tried it myself.

-- 
Julian Stacey.  BSD Unix C Net Consultancy, Munich/Muenchen  http://berklix.com
Mail Ascii, not HTML.		Ihr Rauch = mein allergischer Kopfschmerz.
			http://berklix.org/free-software