[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: LKM Trojan

From: Pedro Fernandes Macedo <webmaster margo bijoux nom br>
To: For users of Fedora Core releases <fedora-list redhat com>
Subject: Re: LKM Trojan
Date: Tue, 30 Nov 2004 22:20:53 -0200

david walcroft wrote:

Would these be a 'false positive' or for real and if so how do I
confirm and remove any infected process/trojan

Thanks david

There's a high chance that these are false positives... Run chkrootkit with the verbose option and it'll show the PID of the processes... Then , check the /proc/$PID/ directory.. the "status" file will give u the program name... and the other files (specially environ and cmdline) will give more details. and for the path of the file , check the symlink "exe" in that folder..

I used to have lots of false positives , so I just quit using chkrootkit (as my machine isnt all that sensitive and I secured it the best I can..)..

--
Pedro Macedo

Follow-Ups:
- Re: LKM Trojan
  - From: Rahul Sundaram

References:
- LKM Trojan
  - From: david walcroft

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]