On Sat, Nov 29, 2003 at 10:58:31AM -0500, Paul Morgan wrote: > On Sat, 29 Nov 2003 05:49:31 -0500, Thomas H. George wrote: > > > chkrootkit reported possible LKM Trojan. 4 processes hidden for ps command. > > > > Before reformating the hard drive and reinstalling Debian, started a dvd > > backup using growisofs. > > The backup of /usr was successful, backup of /var failed with duplicate > > names in /rr_moved. > > > > Obviously I would like to delete /rr_moved but it is hidden from me. Is > > there any way to do this? > > > > In the mean time I am continuing the backup on the assumption that I > > might retrieve specific files without reconatiminating the system. > > > > The backup of /home was successful with the warning "missing whole name > > for 'rr_moved'" > > > > Tom > > I assume that you've checked that chkrootkit didn't give you false > positives. If you didn't, read this (and if you did, sorry): > > http://www.wiggy.net/debian/developer-securing/ > > -- > ....................paul > > "The average lifespan of a Web page today is 100 days. This is no way to > run a culture." > > Internet Archive Board Chairman >
Thank you for the above link. I did get your response before deleting anything and found I had encounterd a false positive. I still must learn about the "/rr_moved" directory which blocks my backups but this is a separate issue so I will post a separate question. Tom > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
