chkrootkit: LKM trojan(?) and strange cron behaviour
greg.lane at internode.on.net
Wed May 14 17:46:01 PDT 2003
On Tue, May 13, 2003 at 08:43:22AM -0400, Jason Stewart <jstewart at rtl.org> wrote:
> > Checking `lkm'... You have 1 process hidden for readdir command
> > You have 1 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> > Has anyone ever seen this message from chkrootkit before and
> > determined it was a false alarm? (Note that I am running stable
> > and this is not the known problems with chkrootkit and current.)
> Hi Greg,
> This could be a false alarm. I've had them before, and they seem to only
> happen on the boxes that I have Apache running on.
Sorry for the delay in replying. I had to prepare a couple of lectures
over the last two days.
I am glad someone else has at least seen this before. I found
virtually nothing when I went searching the lists.
I presume that this has something to do with apache
spawning processes in the middle of chkrootkit running?
I don't really know though. (My web site is hardly very active!)
> I would suggest
> keeping your eye on the box very closely for a while to be safe. If
> possible, monitor network traffic from another box for a while.
I'm normally pretty good about monitoring things. I noticed
this almost immediately. I've noticed no unusual traffic
and an external portscan revealed nothing unusual either.
> I would be concerned, but not alarmed.
The thing that concerned me most was the fact that it happened near
when cron decided to stop working. Have you (or anyone else
for that matter) seen cron just stop like that? The process was
there, but doing nothing. Again, a search of the lists got me a few hits
but nothing obvious and nothing recent.
More information about the freebsd-questions