Re: chkrootkit detects hidden processes in mozilla-firefox and xmms
On Tue, Mar 02, 2004 at 01:37:32PM -0500, Rick Luddy wrote:
> I'm not entirely sure whether this is normal behavior, a symptom of possible
> badness, or simple user error. I'm a bit worried it might mean my system
> has been compromised. Any help or explanation would be greatly appreciated.
>
>
> When I run chkrootkit (0.43-1), I get nothing unusual other than the
> lines:
>
> Checking `lkm'... You have 4 process hidden for readdir command
> You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> When I investigate further by running chkproc -v -v I get:
>
> PID 4118: not in readdir output
> PID 4118: not in ps output
> CWD 4118: /home/rick
> EXE 4118: /usr/lib/mozilla-firefox/firefox-bin
> PID 4120: not in readdir output
> PID 4120: not in ps output
> CWD 4120: /home/rick
> EXE 4120: /usr/lib/mozilla-firefox/firefox-bin
> PID 4128: not in readdir output
> PID 4128: not in ps output
> CWD 4128: /home/rick
> EXE 4128: /usr/bin/xmms
> PID 4129: not in readdir output
> PID 4129: not in ps output
> CWD 4129: /home/rick
> EXE 4129: /usr/bin/xmms
> You have 4 process hidden for readdir command
> You have 4 process hidden for ps command
>
> I'm using xmms 1.2.10-1, mozilla-firefox 0.8-3, and chkrootkit 0.43-1 ,
> all gotten from ftp.us.debian.org through apt-get. If I exit firefox and
> xmms, chkrootkit doesn't have a problem any longer, so I don't think it's
> another program pretending to have a false name.
You might be interested in http://bugs.debian.org/222179. I wonder if
there is a process with a pid of {4125,4126,4127} that have tasks with a
pid of 4128 and 4129.
--
"If you have an apple and I have an apple and we exchange apples then
you and I will still each have one apple. But if you have an idea and I
have an idea and we exchange these ideas, then each of us will have two
ideas." -- George Bernard Shaw (sent by shaulk @ actcom . net . il)
Reply to: