We have seen this question before. somehow ps is probably not giving the right answers to chkrootkit. On Sunday 02 May 2004 13:15, Stefan Onken wrote:

Checking `lkm'... You have 8 process hidden for readdir command You have 8 process hidden for ps command Warning: Possible LKM Trojan installed

Below my message of the 10th of feb.

Hi,

...

Is this an issue or is chkroot being fooled by the newer version? I'm also curious about the "Checking `lkm'... You have 5 process hidden for ps command" result. Whats up with that?

I don't know what chkrootkit has with top, but the ps is broken I think.

Observe: # ./chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID     4: not in ps output CWD     4: / EXE     4: / PID     5: not in ps output CWD     5: / EXE     5: / PID     6: not in ps output CWD     6: / EXE     6: / PID     7: not in ps output CWD     7: / EXE     7: / PID     8: not in ps output CWD     8: / EXE     8: / You have     5 process hidden for ps command# ps ax

And now ps ax (not the whole thing)   PID TTY      STAT   TIME COMMAND     1 ?        S      0:04 init [5]     2 ?        SW     0:00 [keventd]     3 ?        SW     0:00 [kapmd]     0 ?        SWN    0:00 [ksoftirqd_CPU0]     0 ?        SW     0:02 [kswapd]     0 ?        SW     0:00 [bdflush]     0 ?        SW     0:00 [kupdated]     0 ?        SW     0:00 [kinoded]     9 ?        SW     0:00 [mdrecoveryd]    17 ?        SW<    0:00 [lvm-mpd]    25 ?        SW     0:01 [kjournald]

ps gives a pid of 0 for 5 processes.

So that ps version has a bug.

BB, Arjen