Chkrootkit anomaly

Guy Van Sanden n.b at myrealbox.com
Thu Aug 28 01:19:06 PDT 2003 

Hi Sean

I know chkrootkit is broken on 5.1, don't know about 4.8 though.
The messages you are getting are indeed nearly identical to my problems
a while back (6-8 months).

Kind regards

Guy

On Wed, 2003-08-27 at 15:56, Sean Page wrote:
> Since there have already been a couple of questions on this I thought I'd
> see if anyone could shed some light on something I've noticed since I
> started running chkrootkit. It runs every 15 minutes (overkill? Nah.) in
> quiet mode to cut down on noise in the logs, and sporadically I get these
> notifications:
> 
> You have     1 process hidden for readdir command
> You have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> 
> These messages will appear only on the odd occasion, seemingly completely at
> random.
> False positives or very crafty rootkit? 
> Any advice would be greatly appreciated!
> 
> Sean.
> 
> Pertinent details:
> FreeBSD 4.8-RELEASE-p3
> 
> kldstat
> Id Refs Address    Size     Name
>  1    2 0xc0100000 2addcc   kernel
>  2    1 0xc166f000 4000     logo_saver.ko
> 
> Installed Packages:
> BitchX-1.0c19_2, XFree86-libraries-4.3.0_1,
> amavisd-new-20021227.p2,apache+mod_ssl-1.3.27+2.8.14, arc-5.21e.8_1,
> aspell-0.50.3_1,apache+autoconf-2.53_1,autoconf213-2.13.000227_5,
> automake-1.5,1, automake14-1.4.5_9, bash-2.05b,cclient-2002,1,
> chkrootkit-0.41, compat3x-i386-4.4.20020925, cracklib-2.7_1,curl-7.9.8,
> cvsup-16.1g, db3-3.3.11,1, docbook-1.2, docbook-241,
> docbook-3.0,docbook-3.1, docbook-4.0, docbook-4.1, expat-1.95.6_1,
> ezm3-1.0,fontconfig-2.1.94_1, freetype2-2.1.4_1, gd-2.0.11,
> gettext-0.11.5_1, gmake-3.80, help2man-1.29, horde-2.2, httplog-2.1,
> imake-4.3.0, imap-uw-2002_1,1, imp-3.1_3, iso8879-1986, ispell-3.2.06_3,
> jade-1.2.1_1, jpeg-6b_1, kronolith-1.0_3, lha-1.14i, libiconv-1.8_2,
> libmcal-0.7, libmcrypt-2.5.6_1, libtool-1.3.4_4, libwmf-0.2.7,
> libxml2-2.5.6, linuxdoc-1.1, logcheck-1.1.1, m4-1.4_1, mhash-0.8.17,
> mkcatalog-1.1, mm-1.2.1, mod_php4-4.3.1, mysql-client-3.23.56,
> mysql-server-3.23.56, nag-1.1, nmap-3.00, openldap-2.0.25_3,
> p5-Archive-Tar-0.22, p5-Archive-Zip-1.05, p5-Authen-SASL-2.02,
> p5-Bit-Vector-6.3, p5-Compress-Zlib-1.16, p5-Convert-TNEF-0.17,
> p5-Convert-UUlib-0.213, p5-DBI-1.34_1, p5-Data-ShowTable-3.3,
> p5-Date-Calc-5.3, p5-Digest-HMAC-1.01, p5-Digest-MD5-2.22,
> p5-Digest-Nilsimsa-0.06, p5-Digest-SHA1-2.01, p5-File-Spec-0.82,
> p5-File-Tail-0.98_1, p5-HTML-Parser-3.26, p5-HTML-Tagset-3.03, p5-IO-1.20,
> p5-IO-stringy-2.108, p5-MIME-Base64-2.16, p5-MIME-Tools-5.411a_2,
> p5-Mail-SpamAssassin-2.43, p5-Mail-Tools-1.53, p5-Mysql-modules-1.2219,
> p5-Net-1.12,1, p5-Net-DNS-0.33_1, p5-Net-Daemon-0.36, p5-Net-Server-0.83,
> p5-PlRPC-0.2016, p5-PodParser-1.18, p5-Storable-2.06, p5-Test-Harness-2.26,
> p5-Test-Simple-0.47_1, p5-Time-HiRes-1.38,1, p5-TimeDate-1.1301,
> p5-URI-1.23, p5-Unix-Syslog-0.100, pear-Crypt_CBC-0.3, pear-Date-1.3,
> pear-Log-1.5, pear-install-4.3.0, perl-5.8.0_4, pine-4.56, pkgconfig-0.15.0,
> pkgdb.db, png-1.2.5_2, poppassd-4.0_2, portupgrade-20030427,
> procmail-3.22_2, python-2.2.2_2, qpopper-4.0.5_1, razor-agents-2.21_1,
> ruby-1.6.8.2003.04.19, ruby-bdb1-0.2.1, ruby-rdoc-0.0.0.b2,
> ruby-shim-ruby18-1.8.0.p2.2003.04.19_1, screen-3.9.15_1,
> sed_inplace-2002.10.19, sgmlformat-1.7_2, swatch-3.0.4, turba-1.1_3,
> unarj-2.43_1, unrar-.11,1, unzip-5.50, wget-1.8.2_3, wide-dhcp-1.4.0.6,
> wv-0.7.4, xlhtml-0.5.1, zoo-2.10.1
> 
> 
> 
> Sean Page
> Network Analyst, Internet Services
> Information Technology Services
> Edmonton Public Schools
> Phone: (780) 429-8206
> http://its.epsb.ca <http://its.epsb.ca>  
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list