Article 8084 at 06/12/05 12:34:20 From: brian (at mark) rainstormconsulting.com Subject: [coba-e:08084] Re: Steps to Take

Index: [Article Count Order] [Thread]

Date:  Mon, 04 Dec 2006 22:32:01 -0500
From:  Brian Rahill <brian (at mark) rainstormconsulting.com>
Subject:  [coba-e:08084] Re: Steps to Take
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4574E831.6050808 (at mark) rainstormconsulting.com>
In-Reply-To:  <C196FA02.FCE6%webmaster (at mark) muntada.com>
References:  <C196FA02.FCE6%webmaster (at mark) muntada.com>
X-Mail-Count: 08084


Abdul-Rashid Abdullah wrote:
> Aloha,
> 
> I had the following output from my rookit check.  What should be the most
> appropriate steps to take to tackle this?
> 
> Checking `lkm'... You have     1 process hidden for readdir command
> You have     1 process hidden for ps command
> Warning: Possible LKM Trojan installed

This is the most common false positive from chkrootkit in my experience. Run 
chkrootkit a few more times when the box isn't busy and see if it goes away. If 
it does, you've got nothing to worry about.

Brian