Re: LKM?

[Tom]

On Fri, Nov 28, 2003 at 11:00:10AM -0600, Kevin C. Smith wrote:

Not a problem.
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&threadm=3d9c250c.0311132131.7dae9e79%40posting.google.com&rnum=2&prev=/groups%3Fq%3D%2522possible%2Blkm%2Btrojan%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8%26selm%3D3d9c250c.0311132131.7dae9e79%2540posting.google.com%26rnum%3D2

> Running Debian Sid.
> 
> chkrootkit-0.42b reports:
> 
> Checking `lkm'... You have     4 process hidden for ps command
> Warning: Possible LKM Trojan installed
> 
> There are four PID which report as '0' 
> 
> lappy:~$ ps ax
>   PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:04 init [2]
>     2 ?        SW     0:00 [keventd]
>     3 ?        SW     0:00 [kapmd]
>     0 ?        SWN    0:00 [ksoftirqd_CPU0]
>     0 ?        SW     0:00 [kswapd]
>     0 ?        SW     0:00 [bdflush]
>     0 ?        SW     0:00 [kupdated]
> 
> /proc/ shows the following processes: 4, 5, 6, and 7 which appear to be
> the ones showing up as '0'.
> 
> lappy:/proc/4$ ls -al
> ls: cannot read symbolic link cwd: Permission denied
> ls: cannot read symbolic link root: Permission denied
> ls: cannot read symbolic link exe: Permission denied
> total 0
> dr-xr-xr-x    3 root     root            0 2003-11-28 11:01 ./
> dr-xr-xr-x   75 root     root            0 2003-11-28 10:13 ../
> -r--r--r--    1 root     root            0 2003-11-28 11:02 cmdline
> lrwxrwxrwx    1 root     root            0 2003-11-28 11:02 cwd
> -r--------    1 root     root            0 2003-11-28 11:02 environ
> lrwxrwxrwx    1 root     root            0 2003-11-28 11:02 exe
> dr-x------    2 root     root            0 2003-11-28 11:02 fd/
> -r--r--r--    1 root     root            0 2003-11-28 11:02 maps
> -rw-------    1 root     root            0 2003-11-28 11:02 mem
> -r--r--r--    1 root     root            0 2003-11-28 11:02 mounts
> lrwxrwxrwx    1 root     root            0 2003-11-28 11:02 root
> -r--r--r--    1 root     root            0 2003-11-28 11:02 stat
> -r--r--r--    1 root     root            0 2003-11-28 11:02 statm
> -r--r--r--    1 root     root            0 2003-11-28 11:02 status
> 
> The links cwd, root, and exe appear to be broken.
> 
> Is this a problem? Or is this normal for SID. Maybe Devfs related?
> 
> Thoughts and suggestions would be helpful. Thanks.
> 
> 
> Kevin C. Smith
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]