Re: [OT] Rootkit queston

From: dean gaudet
Date: Fri Dec 05 2003 - 12:30:10 EST

Next message: Jason Kingsland: "Re: Linux GPL and binary module exception clause?"
Previous message: Linus Torvalds: "Re: Linux GPL and binary module exception clause?"
In reply to: Bernd Eckenfels: "Re: [OT] Rootkit queston"
Next in thread: Albert Cahalan: "Re: [OT] Rootkit queston"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 1 Dec 2003, Markus Hästbacka wrote:

> I've been paranoid after I heard that the debian project got
> "rootkitted", I ran chkrootkit, and it said that it's possible that I
> have a LKM rootkit installed, but the website told me that it's possible
> that the LKM test gives wrong information with recent kernels (Running
> 2.4.22 now).

chkrootkit's lkm test is fooled by kernel threads... and if your system is
under heavy fork/exit load it'll result in some false lkm positives as
well. it shouldn't be hard to fix the first problem (in chkrootkit), but
the second has no real solution.

-dean
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jason Kingsland: "Re: Linux GPL and binary module exception clause?"
Previous message: Linus Torvalds: "Re: Linux GPL and binary module exception clause?"
In reply to: Bernd Eckenfels: "Re: [OT] Rootkit queston"
Next in thread: Albert Cahalan: "Re: [OT] Rootkit queston"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]