don't know if its normal, but vmware3 does something that causes chkrootkit to see 1 hidden process for me. wasn't activly using it at the time, so maybe if you have the vm running it causes more hidden processes.
On Thursday 04 December 2003 17:09, Micha Feigin wrote: > First thing, you sent this to me instead of the list which seems > like what you wanted considering the last question. > > On Wed, Dec 03, 2003 at 10:38:10PM -0800, Vanh Phom wrote: > > On Wed, 2003-12-03 at 02:07, Micha Feigin wrote: > > > On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote: > > > > Hi folk, > > > > After reading on report of servers compromised. Just for > > > > curiorsity I run chkrootkit on my own machine and come up > > > > with this result: > > > > > > > > Searching for anomalies in shell history files... nothing > > > > found Checking `asp'... not infected > > > > Checking `bindshell'... not infected > > > > Checking `lkm'... You have 12 process hidden for readdir > > > > command You have 12 process hidden for ps command > > > > Warning: Possible LKM Trojan installed > > > > Checking `rexedcs'... not found > > > > Checking `sniffer'... > > > > eth0: PROMISC > > > > > > > > Is my machine compromised? How to fix this? > > > > > > > > Vanh > > > > > > If its unstable, then there is a bug with chkrootkit. > > > do a ps ax and see how many processes you have with pid 0. > > > Don't remember the criterion, but some processes owned by the > > > kernel are started with the kernel's pid which is 0 (I hope I > > > am not mixing things up, but that is the essential idea, search > > > the archives on this if you want the exact story). > > > also try running /usr/lib/chkrootkit/chkproc -v and it will > > > tell you exactly which processes are seen as hidden. You can > > > then try to do: cat /proc/<pid>/status (hoping that wasn't > > > compromised if the computer was, which it probably wasn't) to > > > see what the process actually is. > > > > > > > -- > > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > > with a subject of "unsubscribe". Trouble? Contact > > > > [EMAIL PROTECTED] > > > > I'm running 2.6.0test11 sid. > > /usr/lib/chkrootkit/chkproc -v report no pid 0 > > This will not show you pid 0 but what pids it thinks are hidden. > You should see pid 0 on ps ax. > What pid does ps ax shows for those processes? could it be that > they have the same pid as their parent process instead of a > seperate pid? > > > cat /proc/<pid>/status report all 8 process are either nautilus > > or evolution as sleep. > > I guess is just a false positive for checkrootkit. I'm just > > starting to run debian in the last month or so. So I'm pretty > > green on debian. BTW, is anyone know how how to setup guarddog to > > start whenever the machine is booting. On SuSe the firewall > > automatically configure to start when machine is booting. > > > > Vanh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
