Re: Bug in chkrootkit ?

[Alex 'CAVE' Cernat <cave () cernat ro>]

> "You have 4 process hidden for ps command" and the hint for a probably
> installed "LKM Rootkit". So far, so good. "chkproc" with verbose
> option enabled (-v) say:
>
> [mw@zeus chkrootkit-0.38]# ./chkproc -v
> PID 26194: not in ps output
> PID 26195: not in ps output
> PID 26196: not in ps output
> PID 26197: not in ps output
> You have 4 process hidden for ps command

try a better thing:
ls -l /proc/$pid/exe  - this command will give you the real path of the
executable 'name', which can be even '/usr/man/man1/xxx/whatever/named'
also you can try ls -l /proc/$pid/fd/  - list of file descriptors opened
by process $pid

i had a server cracked and chrootkit report me 2 process hidden; and
they we're on my system, hidden for ps and top, but not enough hidden
for absolute path
i'm not sure, but i believe that a lkm is clever enough (ie. very good
programmed), it can really 'wipe' a file/process/??? from the system, so
it's hard sometimes to diagnose your server

Alex

---------------------------------------------------------------------------
----------------------------------------------------------------------------