Lkm?

hello

that's the second time this week i see a message like that while running chkrootkit:

You have 4 process hidden for readdir command
You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
I run it manually many times (downloaded the file from chkrootkit site, untar and run) and didn't get the message again

I checked procps rpm for modified files (like 'ps') and didn't find anything

root@server01 [~]# rpm -V procps
root@server01 [~]#
the only suspicious things tripwire shows are:
1) 'su' modified (but i don't know when it was, since i don't reset tripwire many times)
2) some plugins in /usr/lib/ethereal/plugins modified

for 'su', I see:
root@server01 [~]# rpm -V coreutils
.M....G. /bin/su
just mode and group modified (because i don't want it to be run by any user)

what I found suspicious is thie ethereal...

it shows it was installed by RHEL rpm:
root@server01 [~]# rpm -qa | grep ethereal
ethereal-0.10.3-0.30E.2
root@server01 [/usr/lib/ethereal]# rpm -V ethereal
root@server01 [/usr/lib/ethereal]#
but why was it installed? maybe tcpdump uses it? is it default?

thanks

 

 

 

 

Top