So you have another program that reports a trojan was installed based on the result of the chkproc? What program is that?<br><br><div><span class="gmail_quote">On 10/16/06, <b class="gmail_sendername">David Lawyer</b> <
<a href="mailto:dave@lafn.org">dave@lafn.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I thought that it's about time that I post something "on topic" rather
<br>than OT. So here it is. I think I've solved the problem by<br>assuming that it's "no problem".<br><br>When my cron jobs run, that were somehow set up to run by updating<br>Debian packages using "apt-get", I get email reports from them. One
<br>such report told me that a possible LKM Trojan was installed. But it<br>also said that per "chkproc" 1 process was hidden for the ps command.<br>This means that there was a process running which didn't get listed by
<br>the "ps" command, possibly because the "ps" command has been<br>contaminated with code so that it would not display a certain rogue<br>LKM (Linux Kernel Module) process. So I ran "chkproc" (it's not in
<br>any standard path so I had to use "locate" to find it) and it finds<br>nothing wrong.<br><br>So per what I saw on the Internet, chkproc can make a mistake since it<br>takes a snapshot of both the output of "ps" and the list of processes
<br>in the /proc/ directory. They are not really a list since each<br>process number appears as the name of a subdirectory in the /proc/<br>directory. /proc/ is not a normal directory since the contents of all<br>the files in it's tree are all in memory and not on disk.
<br><br>So since chkproc take a snapshot of the output of ps and the list of<br>processes in /proc at slightly different times, there's supposedly a<br>possibility of an error since a process may be born or die while the<br>
chkproc is gathering the info (including the time ps is gathering it<br>info, etc.). Such an error would be a false positive. Here the<br>"positive" result of the test is that it finds a trojan. But if<br>that`s false they say it's a "false positive". So I think I'm just
<br>getting a false positive and have nothing to worry about. Any<br>comments? Do other's get this false positive?<br><br>I further checked the checksum of the ps binary and found it to be<br>correct. To do this I used the md5sum program on ps and compared it
<br>to a md5 list in a file in the Debian package directory tree. These<br>are the md5sums of the binaries (such as ps) which I downloaded from<br>Debian over the Internet using apt-get.<br><br> David Lawyer
<br></blockquote></div><br>