From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G2BQq-0002ij-5h for garchives@archives.gentoo.org; Sun, 16 Jul 2006 18:33:32 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6GIVqYF031886; Sun, 16 Jul 2006 18:31:52 GMT Received: from host201.com (host201.com [203.194.159.239]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6GIPZJV008577 for ; Sun, 16 Jul 2006 18:25:37 GMT Received: (qmail 26915 invoked by uid 503); 16 Jul 2006 18:25:32 -0000 Received: from unknown (HELO ?192.168.0.5?) (dave@217.42.214.36) by host201.com with SMTP; 16 Jul 2006 18:25:32 -0000 From: Dave S To: Gentoo list Subject: [gentoo-user] chkrootkit LKM trojan ? Date: Sun, 16 Jul 2006 19:25:22 +0100 User-Agent: KMail/1.9.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607161925.22893.gentoo@pusspaws.net> X-Archives-Salt: 134d0eeb-eed1-4e54-9dda-e615806336d7 X-Archives-Hash: 54794ea7290b555888cbb733c6058b24 HI, I have a potential security problem ... and err its not on gentoo, its on ubuntu but I am not getting any response there & you guys are the most tech bunch I know - Thought I would lay it on the table :) I just had an email from chkrootkit last night - --- The following suspicious files and directories were found: You have 3 process hidden for readdir command You have 3 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed --- Running chkrootkit now and all is OK root@dave-comp:~# root@dave-comp:~# chkrootkit | grep chkproc Checking `lkm'... chkproc: nothing detected root@dave-comp:~# I have even 'sudo install --reinstall chkrootkit' in case its binarys have been modified (paranoid) Running rkhunter shows no problems I am at a bit off a loss and would value some advice / opinions. I can see two possibilities (a) I have a trojan, seems unlikely I am behind a netgear router firewall NAT with no incoming ports open. Running nothing more than samba, ssh and unison on the local network though I have to admit I have not hardened my system. (b) Its a false alarm - it is called by /etc/cron.daily so a lot of different scripts are called at the same time - though I have no idea what could have caused it. Any help / advice greatfully received Dave -- gentoo-user@gentoo.org mailing list