On Saturday, 2004-06-12 at 13:15:33 +0200, Peter Rosa wrote: > please advice me - I was on holidays for one week. After return I found in > security mails from router (chkrootkit) following message: > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > It apeared only onece. From previous and next days reports, the message is > not present. This is an artifact. chkrootkit uses two methods to look at the running processes - ps and /proc. When a process terminates between the two runs, you will get this. I see it at irregular intervals on all my machines that run chkrootkit. But if your machine is critical, running chkrootkit once daily is not enough. This gives a cracker too much time to nest in. Run it at least every hour. Are you running an integrity checker like AIDE, Tripwire, etc? > How could I be sure, the machine is not hacked ? You can't. Not in general. chkrootkit goes only so far. Always assume the worst. But don't panick. HTH, Lupe Christoph PS: Flames that this is not a security help mailing list to /dev/null, please. If you want to flame me, put the energy into creating a freebsd-security-help mailing list instead. -- | [email protected] | http://www.lupe-christoph.de/ | | "... putting a mail server on the Internet without filtering is like | | covering yourself with barbecue sauce and breaking into the Charity | | Home for Badgers with Rabies. Michael Lucas | _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"