LKM Trojan (david walcroft)
david walcroft
david_walcroft at yahoo.com.au
Thu Dec 2 02:33:11 UTC 2004
Philippe Lasfargues wrote:
> ------------------------------
>
> Message: 16
> Date: Wed, 01 Dec 2004 10:05:14 +1000
> From: david walcroft <david_walcroft at yahoo.com.au>
> Subject: LKM Trojan
> To: For users of Fedora Core releases <fedora-list at redhat.com>
> Message-ID: <41AD0ABA.2010705 at yahoo.com.au>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi,
> yesterday chkrootkit logged this
>
> Checking `lkm'...
> You have 2 process hidden for readdir command
> You have 2 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Today it logs
>
> Checking `lkm'...
> You have 4 process hidden for readdir command
> You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Would these be a 'false positive' or for real and if so how do I
> confirm and remove any infected process/trojan
>
> Thanks david
>
>
>
> ------------------------------
>
> Hi David,
>
> Sometimes I have 64 process hidden for readdir command... with
> chkrootkit.
> But nothing wrong with Rootkit Hunter 1.1.8. (http://www.rootkit.nl/)
>
> Please try it and tell me.
>
> Philippe
>
Philippe,
Yes I did exactly that and no LKM trojans but rkhunter isn't
without its
minor hiccups :-
[14:23:38] Scanning for file /dev/dev/gaskit/sshd/sshdd... OK. Not found.
[14:23:38] Scanning for directory /dev/dev... WARNING! Exists.
/usr/bin/rkhunter: line 1983: [: /var/rkhunter/tmp: binary operator expected
/usr/bin/rkhunter: line 2075: /var/rkhunter/tmp
/tmp/stringstest.dat: No such file or directory
strings: Warning: '/var/rkhunter/tmp' is not an ordinary file
strings: '/tmp/stringstest.dat': No such file
/usr/bin/rkhunter: line 2075: /var/rkhunter/tmp
/tmp/stringstest.dat: No such file or directory
These are from yesterdays logs - complaining about its own files and
repeated
20 times, any ideas.
Thanks david
More information about the fedora-list
mailing list