Chkrootkit anomaly
Sean Page
Sean.Page at epsb.ca
Wed Aug 27 07:01:30 PDT 2003
Since there have already been a couple of questions on this I thought I'd
see if anyone could shed some light on something I've noticed since I
started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
quiet mode to cut down on noise in the logs, and sporadically I get these
notifications:
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
These messages will appear only on the odd occasion, seemingly completely at
random.
False positives or very crafty rootkit?
Any advice would be greatly appreciated!
Sean.
Pertinent details:
FreeBSD 4.8-RELEASE-p3
kldstat
Id Refs Address Size Name
1 2 0xc0100000 2addcc kernel
2 1 0xc166f000 4000 logo_saver.ko
Installed Packages:
BitchX-1.0c19_2, XFree86-libraries-4.3.0_1,
amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1,
aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5,
automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1,
chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8,
cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241,
docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1,
ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11,
gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1,
imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3,
jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2,
libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7,
libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17,
mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56,
mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3,
p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02,
p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17,
p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3,
p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22,
p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82,
p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20,
p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2,
p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219,
p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83,
p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26,
p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301,
p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3,
pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0,
pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427,
procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1,
ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2,
ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1,
sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3,
unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6,
wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1
Sean Page
Network Analyst, Internet Services
Information Technology Services
Edmonton Public Schools
Phone: (780) 429-8206
http://its.epsb.ca <http://its.epsb.ca>
More information about the freebsd-questions
mailing list