Date: Wed, 27 Aug 2003 11:12:52 -0400 From: "Dave [Hawk-Systems]" <dave@hawk-systems.com> To: "Sean Page" <Sean.Page@epsb.ca>, <freebsd-questions@freebsd.org> Subject: RE: Chkrootkit anomaly Message-ID: <DBEIKNMKGOBGNDHAAKGNGECLDOAC.dave@hawk-systems.com> In-Reply-To: <DF09779544EFD511A17D0002A587F9D305AA6699@EXCHANGE07>
next in thread | previous in thread | raw e-mail | index | archive | help
>Since there have already been a couple of questions on this I thought I'd >see if anyone could shed some light on something I've noticed since I >started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in >quiet mode to cut down on noise in the logs, and sporadically I get these >notifications: > >You have 1 process hidden for readdir command >You have 1 process hidden for ps command >Warning: Possible LKM Trojan installed > >These messages will appear only on the odd occasion, seemingly completely at >random. >False positives or very crafty rootkit? >Any advice would be greatly appreciated! http://www.chkrootkit.org/ FAQ item #6 is what you are intersted in, although it isn't clear. The problem is that processes are ending before it can check it, thus they are incorrectly tagged as hidden and result in a false positive. There are better resources regarding this (researched it a few months ago) but that is roughly the gist of it. Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNGECLDOAC.dave>