First thing, you sent this to me instead of the list which seems like what you wanted considering the last question.
On Wed, Dec 03, 2003 at 10:38:10PM -0800, Vanh Phom wrote: > On Wed, 2003-12-03 at 02:07, Micha Feigin wrote: > > On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote: > > > Hi folk, > > > After reading on report of servers compromised. Just for curiorsity I > > > run chkrootkit on my own machine and come up with this result: > > > > > > Searching for anomalies in shell history files... nothing found > > > Checking `asp'... not infected > > > Checking `bindshell'... not infected > > > Checking `lkm'... You have 12 process hidden for readdir command > > > You have 12 process hidden for ps command > > > Warning: Possible LKM Trojan installed > > > Checking `rexedcs'... not found > > > Checking `sniffer'... > > > eth0: PROMISC > > > > > > Is my machine compromised? How to fix this? > > > > > > Vanh > > > > > > > If its unstable, then there is a bug with chkrootkit. > > do a ps ax and see how many processes you have with pid 0. Don't > > remember the criterion, but some processes owned by the kernel are > > started with the kernel's pid which is 0 (I hope I am not mixing things > > up, but that is the essential idea, search the archives on this if you > > want the exact story). > > also try running /usr/lib/chkrootkit/chkproc -v and it will tell you > > exactly which processes are seen as hidden. You can then try to do: > > cat /proc/<pid>/status (hoping that wasn't compromised if the computer > > was, which it probably wasn't) to see what the process actually is. > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > > I'm running 2.6.0test11 sid. > /usr/lib/chkrootkit/chkproc -v report no pid 0 This will not show you pid 0 but what pids it thinks are hidden. You should see pid 0 on ps ax. What pid does ps ax shows for those processes? could it be that they have the same pid as their parent process instead of a seperate pid? > cat /proc/<pid>/status report all 8 process are either nautilus or > evolution as sleep. > I guess is just a false positive for checkrootkit. I'm just starting to > run debian in the last month or so. So I'm pretty green on debian. > BTW, is anyone know how how to setup guarddog to start whenever the > machine is booting. On SuSe the firewall automatically configure to > start when machine is booting. > > Vanh > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
