All,
I saw this same error on a variety for Red Hat and Fedora systems,
always with a single "possible LKM Trojan installed". I researched it
and found that the test that reports this compares the PID's reported by
'ps' against the list in /proc (each process will have a directory
in /proc named the same as the PID). It's easy to get this off by one,
and I wouldn't be surprised to see it off by a few. I went through and
compared the process counts against the directory entries and found
where the discrepancy was for my Fedora instance, but it was a painful
(and worried full) half hour to hour.
Hope this helps,
Rich Wilson
-------------------------------------------------------------
On Sat, 2006-02-18 at 20:40 -0700, Craig White wrote:
> On Sat, 2006-02-18 at 22:30 -0500, Mike wrote:
> > On Saturday 18 February 2006 09:58 pm, Craig White wrote:
> > > what fluke are you talking about?
> >
> > By fluke I mean that it isn't real. The warnings said that the problem was a
> > 'Possible LKM Trojan installed'. Besides all of this the system is barely a
> > week old.
> ----
> I do recall on Fedora systems, that sometimes false positives are
> reported - which of course cause some people no end of concern. I think
> to be certain, you will have to check out each of the specific things
> chkrootkit has identified to be certain.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)