freebsd stable - Dec 2006 - chkrootkit finds 94 process hidden for readdir

Hello.

I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine.

I ran chkrootkit yesterday and saw this:

Checking `lkm'... You have    94 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

Everything else was deemed clean by chkrootkit.

When I booted into single user mode and ran chkrootkit it said there were
"33 process hidden for readdir command"

The sha256 checksum is slightly different for the /usr/bin/su binary
on the install
media compared to the /usr/bin/su on the running install.

I could find nothing definitive on this subject posted online so . . . .


-- Matt H.

Matthew Herzog wrote:
> I ran chkrootkit yesterday and saw this:
> 
> Checking `lkm'... You have    94 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
Does LKM stand for "Linux Kernel Module"? If so, no wonder the check
has
gone lala :)

On Sat, Dec 23, 2006 at 03:57:35PM -0500, Matthew Herzog
wrote:
> I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine.
> I ran chkrootkit yesterday and saw this:
> Checking `lkm'... You have    94 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
I thought this was related to the time difference in "ps" and the
processing of the /proc directory.

Edwin

-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin@mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/

On Sat, Dec 23, 2006 at 03:57:35PM -0500, Matthew Herzog
wrote:
> Hello.
> 
> I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine.
> 
> I ran chkrootkit yesterday and saw this:
> 
> Checking `lkm'... You have    94 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed
> 
> Everything else was deemed clean by chkrootkit.
> 
> When I booted into single user mode and ran chkrootkit it said there were
> "33 process hidden for readdir command"
> 
> The sha256 checksum is slightly different for the /usr/bin/su binary
> on the install
> media compared to the /usr/bin/su on the running install.
> 
> I could find nothing definitive on this subject posted online so . . . .
Most likely this is just another false positive with this inherently
unreliable problem.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20061227/82cccd15/attachment.pgp