chkrootkit: LKM trojan(?) and strange cron behaviour

Jason Stewart jstewart at
Tue May 13 05:43:13 PDT 2003

On Tue, 2003-05-13 at 06:47, Greg Lane wrote:
 Nevertheless, I went further 
> investigating and found an interesting message from chkrootkit 
> at 3 am May 10 (2 days before):
> Checking `lkm'... You have     1 process hidden for readdir command
> You have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> That was the only abnormal message that night and everything was 
> normal before this (for at least a month) and for the next two 
> nights till cron died (I run chkrootkit from cron just before
> 3am each night). 
> I just ran chkrootkit again and it reports nothing. I am building 
> static executables on another stable machine at the moment so that 
> I can run chkrootkit with known executables. 
> Has anyone ever seen this message from chkrootkit before and 
> determined it was a false alarm?  (Note that I am running stable
> and this is not the known problems with chkrootkit and current.)

Hi Greg,
This could be a false alarm. I've had them before, and they seem to only
happen on the boxes that I have Apache running on. I would suggest
keeping your eye on the box very closely for a while to be safe. If
possible, monitor network traffic from another box for a while.
> Would you be concerned?!?!?

I would be concerned, but not alarmed.


More information about the freebsd-questions mailing list