Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: suspicous activities...

From: Sean <sean () obstacle9 com>
Date: Wed, 15 Sep 2004 15:57:47 -0700
hilton de meillon wrote:
Hi All, I had this really strange occurrence the other night... 

--snip--


xyzhost:~# chkrootkit -q
You have 2 process hidden for readdir command 
You have     2 process hidden for ps command
Warning: Possible LKM Trojan installed
  eth0 is not promisc
so I was like "AAARRRGGGHHH!!!" I then ran : xyzhost:~# w 
 20:38:51 up 59 min,  3 users,  load average: 0.07, 0.02, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     pts/0    zzz.yyy.xxx.www  19:40    1:18   0.13s  0.00s  tail -f
/var/log/mail/mail.log
root     pts/1    zzz.yyy.xxx.www  20:06   46.00s  0.28s  0.18s  watch -n 1
mailq
root     pts/2    zzz.yyy.xxx.www  20:38    0.00s  0.02s  0.01s  w

I ran chkrootkit again and got this message...

xyzhost:~# chkrootkit -q
warning, got bogus tcp line.
  eth0 is not promisc


Then I ran it again and got nothing...???:
After reading your email I decided to run chkrootkit myself and I received the same "Possible LKM Trojan" message. This is most likely a race condition, see here: 


http://lists.debian.org/debian-security/2003/10/msg00208.html
http://lists.debian.org/debian-security/2003/10/msg00210.html

cheers,
Sean
Previous By Date Next
Previous By Thread Next

Current thread: