LKM Trojan?
Kris Kennaway
kris at obsecurity.org
Sun Feb 18 19:35:55 UTC 2007
On Sun, Feb 18, 2007 at 11:04:18PM +0900, FreeBSD MailingLists wrote:
> When I run chkrootkit I get the following lines.
>
> >Checking `lkm'... You have 107 process hidden for readdir command
> >chkproc: Warning: Possible LKM Trojan installed
>
> rkhunter doesn't seem to find anything.
> I suspect that my machine might be compromised.
> running "ls" in the /proc directory returns an empty list.
> I have recompiled the kernel and world but the problem persists.
> Any suggestions on how to fix this without having to reinstall from scratch?
When using any tool you need to understand the limitations of that
tool. One of the major limitations of this kind of pattern
recognition "security" tool is that they just aren't very accurate,
and have lots of false positives. So you may have a "LKM trojan"
(even though FreeBSD doesn't use "LKM"s, it uses "KLD"s ;), or (more
likely) you might have just encountered a poorly specified search
pattern in the tool.
Kris
More information about the freebsd-questions
mailing list