From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-46535-garchives=archives.gentoo.org@gentoo.org>)
	id 1G2Dfo-0001b1-Ms
	for garchives@archives.gentoo.org; Sun, 16 Jul 2006 20:57:09 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6GKteBp020860;
	Sun, 16 Jul 2006 20:55:40 GMT
Received: from host201.com (host201.com [203.194.159.239])
	by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6GKo8MO003998
	for <gentoo-user@lists.gentoo.org>; Sun, 16 Jul 2006 20:50:09 GMT
Received: (qmail 5283 invoked by uid 503); 16 Jul 2006 20:50:07 -0000
Received: from unknown (HELO ?192.168.0.5?) (dave@217.42.214.36)
  by host201.com with SMTP; 16 Jul 2006 20:50:07 -0000
From: Dave S <gentoo@pusspaws.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] chkrootkit LKM trojan ?
Date: Sun, 16 Jul 2006 21:49:56 +0100
User-Agent: KMail/1.9.1
References: <200607161925.22893.gentoo@pusspaws.net> <200607162054.18404.gentoo@pusspaws.net> <200607162236.07160.volker.armin.hemmann@tu-clausthal.de>
In-Reply-To: <200607162236.07160.volker.armin.hemmann@tu-clausthal.de>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200607162149.56402.gentoo@pusspaws.net>
X-Archives-Salt: 280d926a-cf09-42d5-bfa9-43b64ce41a98
X-Archives-Hash: 8006de287c0f1a5552e16bae7761df87

On Sunday 16 July 2006 21:36, Hemmann, Volker Armin wrote:
> oh, and read this:
> http://www.chkrootkit.org/faq/

Interesting ...

How accurate is chkproc? 
 If you run chkproc on a server that runs lots of short time processes it 
could report some false positives. chkproc compares the ps output with 
the /proc contents. If processes are created/killed during this operation 
chkproc could point out these PIDs as suspicious.


"no, if you chroot, the binaries from the chroot are used.

use chkrootkit without chrooting - best with full path (/usr/sbin/chkrootkit)"

The problem is if I do not chroot chkrootkit will scan the knoppix CD - tried 
it :). It needs to access the live proc etc on a running system.

Dave
-- 
gentoo-user@gentoo.org mailing list