[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] chkrootkit-0.38/RaQ4

Subject: [cobalt-users] chkrootkit-0.38/RaQ4
From: "B. Runge" <brunge@xxxxxxxxxxx>
Date: Wed Jan 15 11:55:02 2003
Organization: Independence Telecommunications Utility
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Just installed 0.38 with no other previous versions of chkrootkit
package installed.
*This server is a little behind when it comes to having all the software
upgrades...
Waiting for the maintenance window to roll on around....

Not sure which way to go with this as long as the end result is nailing
this down. See below for the results of the scan.

I have no issues logging in or creating user accounts nor do I have
issues
with creating, removing, changing any sort of file, script or directory.
LSMOD brings nothing out of the ordinary back to me. 
Are these not "some" of the signs that you may have been or are
compromised?

Any input or direction would be greatly appreciated.
Thanks - Bill

Checking `lkm'... You have     2 process hidden for readdir command
You have     2 process hidden for ps command
Warning: Possible LKM Trojan installed
[root chkrootkit-0.38]# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v
###
PID 14597: not in readdir output
PID 14597: not in ps output
PID 14600: not in readdir output
PID 14600: not in ps output
PID 14603: not in readdir output
PID 14603: not in ps output
PID 14604: not in readdir output
PID 14604: not in ps output
You have     4 process hidden for readdir command
You have     4 process hidden for ps command


Checking `lkm'... You have     4 process hidden for readdir command
You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed
[root chkrootkit-0.38]# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v
###
PID 18124: not in readdir output
PID 18124: not in ps output
You have     1 process hidden for readdir command
You have     1 process hidden for ps command


Checking `lkm'... You have     2 process hidden for readdir command
You have     2 process hidden for ps command
Warning: Possible LKM Trojan installed
[root chkrootkit-0.38]# ./chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v
###
PID 31401: not in readdir output
PID 31401: not in ps output
PID 31402: not in readdir output
PID 31402: not in ps output
You have     2 process hidden for readdir command
You have     2 process hidden for ps command

Follow-Ups:
- Re: [cobalt-users] chkrootkit-0.38/RaQ4
  - From: Steve Werby

Prev by Date: [cobalt-users] How to de-queue mail? Sobig virus message
Next by Date: RE: [cobalt-users] ipmasqadm for a RaQ4
Previous by thread: Re: [cobalt-users] How to de-queue mail? Sobig virus message
Next by thread: Re: [cobalt-users] chkrootkit-0.38/RaQ4

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index