From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G2CqT-0007Lq-7K for garchives@archives.gentoo.org; Sun, 16 Jul 2006 20:04:05 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6GK2R5l012956; Sun, 16 Jul 2006 20:02:27 GMT Received: from host201.com (host201.com [203.194.159.239]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6GJsU1Q020544 for ; Sun, 16 Jul 2006 19:54:31 GMT Received: (qmail 26086 invoked by uid 503); 16 Jul 2006 19:54:29 -0000 Received: from unknown (HELO ?192.168.0.5?) (dave@217.42.214.36) by host201.com with SMTP; 16 Jul 2006 19:54:29 -0000 From: Dave S To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] chkrootkit LKM trojan ? Date: Sun, 16 Jul 2006 20:54:18 +0100 User-Agent: KMail/1.9.1 References: <200607161925.22893.gentoo@pusspaws.net> <200607162054.22874.volker.armin.hemmann@tu-clausthal.de> In-Reply-To: <200607162054.22874.volker.armin.hemmann@tu-clausthal.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607162054.18404.gentoo@pusspaws.net> X-Archives-Salt: 3d7a5e5b-a2ef-4999-8307-ed444aae358b X-Archives-Hash: 0a70a51ff7deb9dc6364480f34a07e4d On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > On Sunday 16 July 2006 20:25, Dave S wrote: > > HI, I have a potential security problem ... > > > > and err its not on gentoo, its on ubuntu but I am not getting any > > response there & you guys are the most tech bunch I know - Thought I > > would lay it on the table :) > > > > I just had an email from chkrootkit last night - > > > > --- > > > > The following suspicious files and directories were found: > > > > You have 3 process hidden for readdir command > > You have 3 process hidden for ps command > > chkproc: Warning: Possible LKM Trojan installed > > > > --- > > > > Running chkrootkit now and all is OK > > > > root@dave-comp:~# > > root@dave-comp:~# chkrootkit | grep chkproc > > Checking `lkm'... chkproc: nothing detected > > root@dave-comp:~# > > > > I have even 'sudo install --reinstall chkrootkit' in case its binarys > > have been modified (paranoid) > > if you installed using the tools of the system, it could be worthless, > because compromised. Boot from a cd and check from the cd. I understand. Booted from knoppix 5.0.1, executed a 'chroot /mnt/hda1 chkrootkit' and a 'chroot /mnt/hda1 rkhunter -c' - both scans brought back nothing. From what I have read the chkrootkit & rkhunter binarys would have been from the CD and therefore untainted ? Am I correct ? Are there any other checks I can do - re-installing the system is not my preferred option :) Dave -- gentoo-user@gentoo.org mailing list