1 Feb
2004
1 Feb
'04
06:10
On Sunday 01 February 2004 06.25, David Herman wrote:
Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean. Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.
chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected. I wonder what other niceties are in the binaries in the apt repo