I just ran chkrootkit like this and I don't get the warning regarding the lkm trojan. I am in fact running named though and doing ps -A shows only the single process. Doing ps -A -m shows the additional threads so this does seem to be what chkrootkit is griping about. Have you used /usr/sbin/lsof -i to see if you have any strange listening ports? Have you run ps -A -m to list all threads? Have you used weak passwords on your system? You might also want to look up information specifically on lkm and see if you can track down anything suspicious. It might also be a really good idea to use some type of firewalling software like lokkit or firestarter etc as prevention in the future. Just some thoughts. Hope this helps. Jason x2452 ----- Original Message ----- From: "M A Young" <m.a.young@durham.ac.uk> To: <psyche-list@redhat.com> Sent: Tuesday, October 08, 2002 2:38 PM Subject: Re: LKM Trojan? and some other question > On Tue, 8 Oct 2002, Hesty P wrote: > > > After installing RH 8.0, I ran chkrootkit and it > > reports that some LKM trojan might exist. Running: > > ./chkrootkit -x lkm > > reveals that there are 6 processes hidden from ps. Is > > this any cause for concern? I did run ethereal and > > cannot see anything out of ordinary. > > Unless you have some really efficient hackers, it is more likely to be the > change to ps which no longer shows multiple threads. There is only one > security advisory for 8.0 (fetchmail), and I doubt hackers have time to > exploit it yet. > > Michael Young > > > > -- > Psyche-list mailing list > Psyche-list@redhat.com > https://listman.redhat.com/mailman/listinfo/psyche-list >
