Another call for help regarding chkrootkit
Hello!
I have got a problem with chkrootkit, too (refering to http://
lists.debian.org/debian-security/2003/debian-security-200310/msg00204.html):
ai1:# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 3: not in ps output
CWD 3: /
EXE 3: /
PID 4: not in ps output
CWD 4: /
EXE 4: /
PID 5: not in ps output
CWD 5: /
EXE 5: /
PID 6: not in ps output
CWD 6: /
EXE 6: /
You have 4 process hidden for ps command
A reboot does not solve the problem.
I use an actual sid with kernel 2.4.22 from package
kernel-source- 2.4.22-3. Before PID 3 are starting
PID 1 init (of course)
and
PID 2 keventd
Does this look like a rootkit and what is to do?
Thanks!
- Matthias
P.S.: /proc/X/status have following contents:
Name: ksoftirqd_CPU0
State: S (sleeping)
Tgid: 0
Pid: 3
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 32
Groups:
SigPnd: 0000000000000000
SigBlk: ffffffffffffffff
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000ffffffff
CapEff: 00000000fffffeff
Name: kswapd
State: S (sleeping)
Tgid: 0
Pid: 4
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 32
Groups:
SigPnd: 0000000000000000
SigBlk: ffffffffffffffff
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000ffffffff
CapEff: 00000000fffffeff
Name: bdflush
State: S (sleeping)
Tgid: 0
Pid: 5
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 32
Groups:
SigPnd: 0000000000000000
SigBlk: ffffffffffffffff
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000ffffffff
CapEff: 00000000fffffeff
Name: kupdated
State: S (sleeping)
Tgid: 0
Pid: 6
PPid: 1
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize: 32
Groups:
SigPnd: 0000000000000000
SigBlk: fffffffffff9ffff
SigIgn: 0000000000000000
SigCgt: 0000000000000000
CapInh: 0000000000000000
CapPrm: 00000000ffffffff
CapEff: 00000000fffffeff
Reply to: