Yesterday I decided to run chkrootkit, and apart from the "top" and "find" commands being reported infected (which is ok afaik, everyone seems to have the same on any fresh installation), I realised the following was also reported: A) 5 "nscd" processes were hidden from the readdir and ps commands B) 1 suseplugger process was hidden from the readdir and ps commands
Ok, I moved those files into a safe place for now, rebooted - and everything went fine until... I ran Yast2! y2base is reported hidden from the readdir and ps commands...
Can someone advise me on this?
chkrootkit gets confused by NPTL threads. It will complain about _every_ application spawning threads.
Right... We've stumbled over this a few weeks ago, getting reports and "severe" concerns. chkrootkit is braindead in more respects: It does the same thing as ps does (getdents(2) on /proc), and interprets the difference to be a kernel backdoor. Not very sane, and could use some improvement. We'll have a chkrootkit package soon. A collegue of mine has made an article available on the support database using the text I've written. It is available at: http://portal.suse.com/sdb/de/2004/08/pohletz_chroot_infected_progs.html
Robert
Thanks,
Roman.
--
- -
| Roman Drahtmüller