RE: Bug in chkrootkit ?

["Todd Mitchell - lists" <lists () ciphin com>]

| Hi there,
| 
| i am relatively new to security purposes and in this list. My name ist
| Michael Weber, i'm Networkadmin from Germany and i hope you can help
| me to solve this riddle:
| 
| When starting "chkrootkit" (v 0.38) i get the Message:
| 
| "You have 4 process hidden for ps command" and the hint for a probably
| installed "LKM Rootkit". So far, so good. "chkproc" with verbose
option
| enabled (-v) say:
| 
| [mw@zeus chkrootkit-0.38]# ./chkproc -v
| PID 26194: not in ps output
| PID 26195: not in ps output
| PID 26196: not in ps output
| PID 26197: not in ps output
| You have 4 process hidden for ps command
| 
| That's fine, now we know the PID and can ask...
| 
| [mw@zeus chkrootkit-0.38]# ps p 26194
| PID TTY      STAT   TIME COMMAND
| 26194 ?        S      0:00 named -u named
| 

Are you running Red Hat?

Todd

--


| Seems to be the name daemon, that's okay - a little nameserver for the
| local net (and only reachable by the local IP) is running. The 3 other
| deliver the same output.Looks like a bug in "chkrootkit" but - how
safe
| can i be that this is really a bug and not a clever LKM? I guess that
| a rootkit will not be named "youhavebeencracked"...
| 
| Sorry for my english, feel free to correct it if necessary.
| 
| regards,
| Michael Weber
| 
|
------------------------------------------------------------------------
--
| -
|
------------------------------------------------------------------------
--
| --
| 



---------------------------------------------------------------------------
----------------------------------------------------------------------------