[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] chkrootkit

Subject: RE: [cobalt-users] chkrootkit
From: "Andy Brown" <andy.brown@xxxxxxxxxxxxx>
Date: Mon Aug 5 05:27:00 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

<snip>
> Checking `lkm'... You have     1 process hidden for readdir command
> You have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> 
> Anyone seeing this with chkrootkit>
> This is a newly restored RaQ3 with RaQ4 software
</snip>

Hi Gerald,
I've seen it before on a RaQ which was never attached to the outside world. Although doing the scan several times, sometimes it came back positive sometimes negative.
If I read it right, it checks the ps command against /proc values, so i'd assume a process that was quick enough to start/stop could appear in one and not the other.
Thats the only explanation I could think of, though would be nice somebody to confirm this!!

Regards,

Andy Brown
andy.brown@xxxxxxxxxxxxx

http://www.interv8.co.uk

Follow-Ups:
- RE: [cobalt-users] chkrootkit
  - From: Gerald Waugh

Prev by Date: [cobalt-users] chkrootkit
Next by Date: Re: [cobalt-users] Perl to check whether a user is administrator
Previous by thread: [cobalt-users] chkrootkit
Next by thread: RE: [cobalt-users] chkrootkit

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index