Chkrootkit anomaly

Sean Page Sean.Page at epsb.ca
Wed Aug 27 07:01:30 PDT 2003 

Since there have already been a couple of questions on this I thought I'd
see if anyone could shed some light on something I've noticed since I
started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
quiet mode to cut down on noise in the logs, and sporadically I get these
notifications:

You have     1 process hidden for readdir command
You have     1 process hidden for ps command
Warning: Possible LKM Trojan installed

These messages will appear only on the odd occasion, seemingly completely at
random.
False positives or very crafty rootkit? 
Any advice would be greatly appreciated!

Sean.

Pertinent details:
FreeBSD 4.8-RELEASE-p3

kldstat
Id Refs Address    Size     Name
 1    2 0xc0100000 2addcc   kernel
 2    1 0xc166f000 4000     logo_saver.ko

Installed Packages:
BitchX-1.0c19_2, XFree86-libraries-4.3.0_1,
amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1,
aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5,
automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1,
chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8,
cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241,
docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1,
ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11,
gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1,
imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3,
jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2,
libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7,
libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17,
mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56,
mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3,
p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02,
p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17,
p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3,
p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22,
p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82,
p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20,
p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2,
p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219,
p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83,
p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26,
p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301,
p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3,
pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0,
pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427,
procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1,
ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2,
ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1,
sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3,
unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6,
wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1



Sean Page
Network Analyst, Internet Services
Information Technology Services
Edmonton Public Schools
Phone: (780) 429-8206
http://its.epsb.ca <http://its.epsb.ca>

More information about the freebsd-questions mailing list