From owner-freebsd-questions@FreeBSD.ORG Wed Aug 27 08:25:14 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E98916A4BF for ; Wed, 27 Aug 2003 08:25:14 -0700 (PDT) Received: from epsb.ca (relay.epsb.ca [198.161.119.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0707543FBD for ; Wed, 27 Aug 2003 08:25:13 -0700 (PDT) (envelope-from Sean.Page@epsb.ca) Received: from exchange03.epsb.ca (exchange03.epsb.ca [10.0.5.11]) by epsb.ca (8.11.3/8.11.3) with ESMTP id h7RFPBV20562; Wed, 27 Aug 2003 09:25:11 -0600 (MDT) (envelope-from Sean.Page@epsb.ca) Received: by exchange03.epsb.ca with Internet Mail Service (5.5.2653.19) id ; Wed, 27 Aug 2003 09:26:56 -0600 Message-ID: From: Sean Page To: "'Dave [Hawk-Systems]'" , freebsd-questions@freebsd.org Date: Wed, 27 Aug 2003 09:20:09 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Subject: RE: Chkrootkit anomaly X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 15:25:14 -0000 Hey, that's exactly what I was looking for. Thanks Dave. Sean. -----Original Message----- From: Dave [Hawk-Systems] [mailto:dave@hawk-systems.com] Sent: August 27, 2003 9:13 AM To: Sean Page; freebsd-questions@freebsd.org Subject: RE: Chkrootkit anomaly >Since there have already been a couple of questions on this I thought >I'd see if anyone could shed some light on something I've noticed since >I started running chkrootkit. It runs every 15 minutes (overkill? Nah.) >in quiet mode to cut down on noise in the logs, and sporadically I get >these >notifications: > >You have 1 process hidden for readdir command >You have 1 process hidden for ps command >Warning: Possible LKM Trojan installed > >These messages will appear only on the odd occasion, seemingly >completely at random. False positives or very crafty rootkit? >Any advice would be greatly appreciated! http://www.chkrootkit.org/ FAQ item #6 is what you are intersted in, although it isn't clear. The problem is that processes are ending before it can check it, thus they are incorrectly tagged as hidden and result in a false positive. There are better resources regarding this (researched it a few months ago) but that is roughly the gist of it. Dave _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"