Test with Chkrootkit

Norman Nunn npnunn at swbell.net
Tue Jul 27 02:32:24 UTC 2004 

This is a second response to Geoffrey message below.

Here is the output from the two operations below.  I ran the "cat
/proc/<pid>/cmdline" on a sample of the pid's.  They tend to repeat as
long as the pid sequence does not have holes.

****start of terminal printout*****

[user at localhost user]$ chkproc -v
PID  5529: not in readdir output
PID  5529: not in ps output
PID  5532: not in readdir output
PID  5532: not in ps output
PID  5570: not in readdir output
PID  5570: not in ps output
PID  5571: not in readdir output
PID  5571: not in ps output
PID  5572: not in readdir output
PID  5572: not in ps output
PID  5573: not in readdir output
PID  5573: not in ps output
PID  5574: not in readdir output
PID  5574: not in ps output
PID  5575: not in readdir output
PID  5575: not in ps output
PID  5599: not in readdir output
PID  5599: not in ps output
PID  5600: not in readdir output
PID  5600: not in ps output
PID  5601: not in readdir output
PID  5601: not in ps output
PID  5602: not in readdir output
PID  5602: not in ps output
PID  5603: not in readdir output
PID  5603: not in ps output
PID  5604: not in readdir output
PID  5604: not in ps output
PID  5605: not in readdir output
PID  5605: not in ps output
PID  5754: not in readdir output
PID  5754: not in ps output
PID  5787: not in readdir output
PID  5787: not in ps output
You have    17 process hidden for readdir command
You have    17 process hidden for ps command

[user at localhost user]$ cat /proc/5529/cmdline

nautilus--no-default-window--sm-client-iddefault3[user at localhost user]$
cat /proc/5532/cmdline

/usr/libexec/gnome-vfs-daemon--oaf-activate-iid=OAFIID:
GNOME_VFS_Daemon_Factory--oaf-ior-fd=29[user at localhost user]$ cat
/proc/5570/cmdline

nautilus--no-default-window--sm-client-iddefault3[user at localhost user]$
cat /proc/5571/cmdline

nautilus--no-default-window--sm-client-iddefault3[user at localhost user]$
cat /proc/5599/cmdline

[user at localhost user]$ cat /proc/5574/cmdline  <*** a typo ***>

nautilus--no-default-window--sm-client-iddefault3[user at localhost user]$
cat /proc/5754/cmdline

evolution[user at localhost user]$ cat /proc/5787/cmdline

evolution[user at localhost user]$

*****end of terminal printout*****

Is that what should be expected??

Norm

On Sun, 2004-07-25 at 15:26, Geoffrey Leach wrote:

> To further analyze the problem, run ./chkproc -v to get a list of the  
> hidden processes, then run cat /proc/<pid>/cmd to see the processes  
> that are hidden.
> 
> BTW, I'm using version 0.43 on a 2.6 kernel.  Works fine, as far as I  
> can tell.
>

More information about the fedora-list mailing list