chkrootkit finds 94 process hidden for readdir
Kris Kennaway
kris at obsecurity.org
Tue Dec 26 19:44:52 PST 2006
On Sat, Dec 23, 2006 at 03:57:35PM -0500, Matthew Herzog wrote:
> Hello.
>
> I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine.
>
> I ran chkrootkit yesterday and saw this:
>
> Checking `lkm'... You have 94 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
>
> Everything else was deemed clean by chkrootkit.
>
> When I booted into single user mode and ran chkrootkit it said there were
> "33 process hidden for readdir command"
>
> The sha256 checksum is slightly different for the /usr/bin/su binary
> on the install
> media compared to the /usr/bin/su on the running install.
>
> I could find nothing definitive on this subject posted online so . . . .
Most likely this is just another false positive with this inherently
unreliable problem.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20061227/82cccd15/attachment.pgp
More information about the freebsd-stable
mailing list