From owner-freebsd-questions@FreeBSD.ORG Wed Aug 27 07:41:54 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C636016A4BF for ; Wed, 27 Aug 2003 07:41:54 -0700 (PDT) Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id EADCE43FEA for ; Wed, 27 Aug 2003 07:41:51 -0700 (PDT) (envelope-from lists@visionsix.com) Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com for ; Wed, 27 Aug 2003 09:40:53 -0500 Message-ID: <00f001c36ca9$2c47ed50$df0a0a0a@vsis169> From: "Lewis Watson" To: References: Date: Wed, 27 Aug 2003 09:40:34 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Chkrootkit anomaly X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 14:41:54 -0000 > Since there have already been a couple of questions on this I thought I'd > see if anyone could shed some light on something I've noticed since I > started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in > quiet mode to cut down on noise in the logs, and sporadically I get these > notifications: > > You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > > These messages will appear only on the odd occasion, seemingly completely at > random. > False positives or very crafty rootkit? > Any advice would be greatly appreciated! Hi Sean, I too have occasionally seen these, I am running 4.7-RELEASE. Also, thanks for mentioning -q, I never knew there was such a thing :-) Lewis