Re: LKM ps error message with chkrootkit?

[matt <matt () learnsecurityonline com>]

Paulo wrote:

> Hi,
>
> I have a RedHat 8 and when I ran the chkrootkit, I get
> the following message:
>
> Checking `lkm'... ps: error: Thread display not
> implemented.
> usage: ps -[Unix98 options]
>       ps [BSD-style options]
>       ps --[GNU-style long options]
>       ps --help for a command summary
> OooPS!
> chkproc: Warning: Possible LKM Trojan installed
>
> Was I hacked? Someone can help me?
>
> Thanks in advance.
>
> Paulo 
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
>  
I personally dont have a redhat 8 system handy to check this, but it 
could be that ps on redhat 8 doesnt support the option chkrootkit is using,
or it was replaced by an attacker with a borked ps.  The only way to 
check for sure is to analyse the md5 hash's of your ps(dont take it from 
the running OS,
mount the drive)  and check it against a redhat /bin/ps you know to be 
fresh.  Most likely its scenario one.

Regards

Matt
Learn Security Online, Inc.

* Security Games           * Simulators
* Challenge Servers       * Courses
* Hacking Competitions  * Hacklab Access

http://www.learnsecurityonline.com