[olug] lkm problems
Dave Hull
dphull at insipid.com
Wed Oct 6 05:04:50 UTC 2004
Quoting Don Kauffman <dekauff at cox.net>:
> "Checking `lkm'... You have 17 process hidden for readdir command
> You have 17 process hidden for ps command
> Warning: Possible LKM Trojan installed "
I have no idea how chkrootkit works, but you can use a command line like this to
compare was ps shows to what is in /proc:
ls -d /proc/* | grep [0-9] | wc -l; ps ax | wc -l
This was taken from the O'Reilly Linux Hacks book. If first number is higher
than the second number, then you've got processes in /proc that are not listed
by ps, but there can be other reasons for that other than that you've been
hacked.
To investigate further, you might try something like this:
ps ax | awk '{print $1}' | sort > ps.txt
ls -d /proc/* | grep [0-9] | awk '{FS="/"} {print $3}' | sort > proc.txt
These two commands should be run back to back for best results. Key them both in
on the same command line separated by a semi-colon and hit enter. Next, compare
the two files using diff as follows:
diff --side-by-side proc.txt ps.txt
>From this, you can quickly see what the differences are.
Good luck.
--
Dave Hull
http://insipid.com
More information about the OLUG
mailing list