From owner-freebsd-questions@FreeBSD.ORG  Wed Aug 27 07:01:30 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 48B7416A4BF
	for <freebsd-questions@freebsd.org>;
	Wed, 27 Aug 2003 07:01:30 -0700 (PDT)
Received: from epsb.ca (relay.epsb.ca [198.161.119.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8F39143FF5
	for <freebsd-questions@freebsd.org>;
	Wed, 27 Aug 2003 07:01:29 -0700 (PDT)
	(envelope-from Sean.Page@epsb.ca)
Received: from exchange05.epsb.edmonton.ab.ca (exchange05.epsb.ca [10.0.5.14])
	by epsb.ca (8.11.3/8.11.3) with ESMTP id h7RE1TV05677
	for <freebsd-questions@freebsd.org>;
	Wed, 27 Aug 2003 08:01:29 -0600 (MDT)
	(envelope-from Sean.Page@epsb.ca)
Received: by exchange05.epsb.ca with Internet Mail Service (5.5.2653.19)
	id <RXPBJ6T7>; Wed, 27 Aug 2003 08:00:39 -0600
Message-ID: <DF09779544EFD511A17D0002A587F9D305AA6699@EXCHANGE07>
From: Sean Page <Sean.Page@epsb.ca>
To: freebsd-questions@freebsd.org
Date: Wed, 27 Aug 2003 07:56:32 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Subject: Chkrootkit anomaly
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Aug 2003 14:01:30 -0000

Since there have already been a couple of questions on this I thought I'd
see if anyone could shed some light on something I've noticed since I
started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
quiet mode to cut down on noise in the logs, and sporadically I get these
notifications:

You have     1 process hidden for readdir command
You have     1 process hidden for ps command
Warning: Possible LKM Trojan installed

These messages will appear only on the odd occasion, seemingly completely at
random.
False positives or very crafty rootkit? 
Any advice would be greatly appreciated!

Sean.

Pertinent details:
FreeBSD 4.8-RELEASE-p3

kldstat
Id Refs Address    Size     Name
 1    2 0xc0100000 2addcc   kernel
 2    1 0xc166f000 4000     logo_saver.ko

Installed Packages:
BitchX-1.0c19_2, XFree86-libraries-4.3.0_1,
amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1,
aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5,
automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1,
chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8,
cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241,
docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1,
ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11,
gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1,
imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3,
jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2,
libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7,
libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17,
mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56,
mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3,
p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02,
p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17,
p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3,
p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22,
p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82,
p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20,
p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2,
p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219,
p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83,
p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26,
p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301,
p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3,
pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0,
pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427,
procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1,
ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2,
ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1,
sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3,
unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6,
wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1



Sean Page
Network Analyst, Internet Services
Information Technology Services
Edmonton Public Schools
Phone: (780) 429-8206
http://its.epsb.ca <http://its.epsb.ca>