Date: Wed, 27 Aug 2003 07:56:32 -0600 From: Sean Page <Sean.Page@epsb.ca> To: freebsd-questions@freebsd.org Subject: Chkrootkit anomaly Message-ID: <DF09779544EFD511A17D0002A587F9D305AA6699@EXCHANGE07>
next in thread | raw e-mail | index | archive | help
Since there have already been a couple of questions on this I thought I'd see if anyone could shed some light on something I've noticed since I started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in quiet mode to cut down on noise in the logs, and sporadically I get these notifications: You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed These messages will appear only on the odd occasion, seemingly completely at random. False positives or very crafty rootkit? Any advice would be greatly appreciated! Sean. Pertinent details: FreeBSD 4.8-RELEASE-p3 kldstat Id Refs Address Size Name 1 2 0xc0100000 2addcc kernel 2 1 0xc166f000 4000 logo_saver.ko Installed Packages: BitchX-1.0c19_2, XFree86-libraries-4.3.0_1, amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1, aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5, automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1, chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8, cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241, docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1, ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11, gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1, imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3, jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2, libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7, libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17, mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56, mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3, p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02, p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17, p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3, p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22, p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82, p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20, p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2, p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219, p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83, p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26, p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301, p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3, pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0, pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427, procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1, ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2, ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1, sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3, unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6, wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1 Sean Page Network Analyst, Internet Services Information Technology Services Edmonton Public Schools Phone: (780) 429-8206 http://its.epsb.ca <http://its.epsb.ca>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DF09779544EFD511A17D0002A587F9D305AA6699>