From owner-freebsd-stable@FreeBSD.ORG  Sun Dec 24 02:01:28 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0C7BB16A403
	for <freebsd-stable@freebsd.org>; Sun, 24 Dec 2006 02:01:28 +0000 (UTC)
	(envelope-from edwin@mavetju.org)
Received: from mail4out.barnet.com.au (mail4.barnet.com.au [202.83.178.125])
	by mx1.freebsd.org (Postfix) with ESMTP id C758913C457
	for <freebsd-stable@freebsd.org>; Sun, 24 Dec 2006 02:01:27 +0000 (UTC)
	(envelope-from edwin@mavetju.org)
Received: by mail4out.barnet.com.au (Postfix, from userid 1001)
	id C31F537BAFD; Sun, 24 Dec 2006 12:45:24 +1100 (EST)
X-Viruscan-Id: <458DDBB400011FC3113942@BarNet>
Received: from mail4auth.barnet.com.au (mail4.barnet.com.au [202.83.178.125])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail4.barnet.com.au (Postfix) with ESMTP id 9481D428AC3;
	Sun, 24 Dec 2006 12:45:24 +1100 (EST)
Received: from k7.mavetju (k7.mavetju.org [10.251.1.18])
	by mail4auth.barnet.com.au (Postfix) with ESMTP id 5694637BAE4;
	Sun, 24 Dec 2006 12:45:24 +1100 (EST)
Received: by k7.mavetju (Postfix, from userid 1001)
	id F18FA153; Sun, 24 Dec 2006 12:45:23 +1100 (EST)
Date: Sun, 24 Dec 2006 12:45:23 +1100
From: Edwin Groothuis <edwin@mavetju.org>
To: Matthew Herzog <matthew.herzog@gmail.com>
Message-ID: <20061224014523.GB90165@k7.mavetju>
Mail-Followup-To: Edwin Groothuis <edwin@mavetju.org>,
	Matthew Herzog <matthew.herzog@gmail.com>,
	freebsd-stable@freebsd.org
References: <7cf39bb60612231257p1a8a62c3g43a9da939306a59e@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7cf39bb60612231257p1a8a62c3g43a9da939306a59e@mail.gmail.com>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-stable@freebsd.org
Subject: Re: chkrootkit finds 94 process hidden for readdir
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Dec 2006 02:01:28 -0000

On Sat, Dec 23, 2006 at 03:57:35PM -0500, Matthew Herzog wrote:
> I run FreeBSD 6.1-RELEASE-p7 on an UltraSparc 5 machine.
> I ran chkrootkit yesterday and saw this:
> Checking `lkm'... You have    94 process hidden for readdir command
> chkproc: Warning: Possible LKM Trojan installed

I thought this was related to the time difference in "ps" and the
processing of the /proc directory.

Edwin

-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin@mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/