From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 18 19:35:55 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 32DBE16A406
	for <freebsd-questions@freebsd.org>;
	Sun, 18 Feb 2007 19:35:55 +0000 (UTC)
	(envelope-from kris@obsecurity.org)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.freebsd.org (Postfix) with ESMTP id 1FF7913C4A5
	for <freebsd-questions@freebsd.org>;
	Sun, 18 Feb 2007 19:35:55 +0000 (UTC)
	(envelope-from kris@obsecurity.org)
Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196])
	by elvis.mu.org (Postfix) with ESMTP id EC5211A3C19;
	Sun, 18 Feb 2007 11:35:54 -0800 (PST)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 4EABA51559; Sun, 18 Feb 2007 14:35:54 -0500 (EST)
Date: Sun, 18 Feb 2007 14:35:54 -0500
From: Kris Kennaway <kris@obsecurity.org>
To: FreeBSD MailingLists <freebsd.ml@gmail.com>
Message-ID: <20070218193554.GC54293@xor.obsecurity.org>
References: <ded8d7170702180604u53c748a1w7de5b01a29754c38@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ded8d7170702180604u53c748a1w7de5b01a29754c38@mail.gmail.com>
User-Agent: Mutt/1.4.2.2i
Cc: questions <freebsd-questions@freebsd.org>
Subject: Re: LKM Trojan?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Feb 2007 19:35:55 -0000

On Sun, Feb 18, 2007 at 11:04:18PM +0900, FreeBSD MailingLists wrote:
> When I run chkrootkit I get the following lines.
> 
> >Checking `lkm'... You have   107 process hidden for readdir command
> >chkproc: Warning: Possible LKM Trojan installed
> 
> rkhunter doesn't seem to find anything.
> I suspect that my machine might be compromised.
> running "ls" in the /proc directory returns an empty list.
> I have recompiled the kernel and world but the problem persists.
> Any suggestions on how to fix this without having to reinstall from scratch?

When using any tool you need to understand the limitations of that
tool.  One of the major limitations of this kind of pattern
recognition "security" tool is that they just aren't very accurate,
and have lots of false positives.  So you may have a "LKM trojan"
(even though FreeBSD doesn't use "LKM"s, it uses "KLD"s ;), or (more
likely) you might have just encountered a poorly specified search
pattern in the tool.

Kris