Hosting Provided By

Re: LKM Trojan installed

From: Craig Holmes <Leusent(at)typeoneg.net>
Date: Sat Feb 08 2003 - 14:19:14 EST

On February 7, 2003 11:08 pm, Nathan Yocom wrote:
> If a user was to gain local root priveledges, it is also possible that
Although this is very possible, and something you should consider while looking for any malicous files or processes, I believe that the message you got from chkproc (called by chkrootkit) means it found inconsistancies between ps output and your proc filesystem. Cal Peake pointed out that redhat hides threads, so I would check your ps/proc first. Although I am not completly sure, I believe that if it detects a LKM, that it will report processes being hidden by readdir.

/* Snippet of code */

if (retdir)

printf("You have % 5d process hidden for readdir command\n", retdir); if (retps)

printf("You have % 5d process hidden for ps command\n", retps); /* Done */

Craig Holmes Received on Tue Feb 11 10:51:19 2003

This message: [ Message body ]
Next message: Shawn M. Jones: "Re: LKM Trojan installed"
Previous message: Chris Travers: "IPTables stops logging after long uptime"
In reply to Nathan Yocom: "Re: LKM Trojan installed"
Next in thread: Peter Kirby: "Re: LKM Trojan installed"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:19 EDT

Do you need help?