On Tue, Mar 02, 2004 at 01:37:32PM -0500, Rick Luddy wrote: > I'm not entirely sure whether this is normal behavior, a symptom of possible > badness, or simple user error. I'm a bit worried it might mean my system > has been compromised. Any help or explanation would be greatly appreciated. > > > When I run chkrootkit (0.43-1), I get nothing unusual other than the > lines: > > Checking `lkm'... You have 4 process hidden for readdir command > You have 4 process hidden for ps command > Warning: Possible LKM Trojan installed > > When I investigate further by running chkproc -v -v I get: > > PID 4118: not in readdir output > PID 4118: not in ps output > CWD 4118: /home/rick > EXE 4118: /usr/lib/mozilla-firefox/firefox-bin > PID 4120: not in readdir output > PID 4120: not in ps output > CWD 4120: /home/rick > EXE 4120: /usr/lib/mozilla-firefox/firefox-bin > PID 4128: not in readdir output > PID 4128: not in ps output > CWD 4128: /home/rick > EXE 4128: /usr/bin/xmms > PID 4129: not in readdir output > PID 4129: not in ps output > CWD 4129: /home/rick > EXE 4129: /usr/bin/xmms > You have 4 process hidden for readdir command > You have 4 process hidden for ps command > > I'm using xmms 1.2.10-1, mozilla-firefox 0.8-3, and chkrootkit 0.43-1 , > all gotten from ftp.us.debian.org through apt-get. If I exit firefox and > xmms, chkrootkit doesn't have a problem any longer, so I don't think it's > another program pretending to have a false name.
You might be interested in http://bugs.debian.org/222179. I wonder if there is a process with a pid of {4125,4126,4127} that have tasks with a pid of 4128 and 4129. -- "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw (sent by shaulk @ actcom . net . il) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
