[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Chkrootkit pre-0.36
- Subject: Re: [cobalt-users] Chkrootkit pre-0.36
- From: "DutchNet Support" <support@xxxxxxxxxxxxx>
- Date: Sun Jul 7 09:50:00 2002
- Organization: DutchNet
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hi,
That must have been the case cause if I run it now it reports nothing. I ran
it a third time and it's still clean.
All three times I ran the chkrootkit on a very busy server,
6:49pm up 1 day, 4:48, 1 user, load average: 4.15, 2.08, 1.35
129 processes: 127 sleeping, 1 running, 1 zombie, 0 stopped
CPU states: 9.2% user, 12.8% system, 0.0% nice, 77.9% idle
Mem: 517112K av, 434012K used, 83100K free, 520604K shrd, 46604K
buff
Swap: 131532K av, 12580K used, 118952K free 244712K
cached
thanks for the input.
regards
Erik
----- Original Message -----
From: "Marcos Gurgel" <lists@xxxxxxxxxxxxxxxx>
To: "Cobalt" <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, July 07, 2002 6:25 PM
Subject: Re: [cobalt-users] Chkrootkit pre-0.36
>
> >From the chkrootkit.org FAQ:
>
> "How accurate is chkproc?
>
> If you run chkproc on a server that runs lots of short time processes it
> could report some false positives. chkproc compares the ps output with the
> /proc contents. If processes are created/killed during this operation
> chkproc could point out these PIDs as suspicious. "
>
>
>
>
> on 07.07.2002 12:41, DutchNet Support wrote:
>
> > Hi all,
> >
> > Just ran chkrootkit-pre-0.36 on a RaQ4 with the following results;
> >
> > Checking `lkm'... You have 3 process hidden for readdir command
> > You have 3 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> >
> > Could this because by running pmfirewall, portsentry and logcheck?
> >
> > any input is welcome.
> >
> > Kind regards
> >
> > Erik Venema
> > DutchNet
> > Postbus 3
> > 3734 ZG Den Dolder
> > Nederland
> >
> >
> > Tel. +31 (0)30 229 2693
> > Fax +31 (0)30 229 2694
> > Internet: http://www.dutch-net.nl
> >
> > SoHo Networking, Web Site Hosting, Dedicated Servers, Co-location
> >
> >
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>