Compare with the result of this: http://www.security-projects.com/?Unhide and tell us. Leonardo Vilela Pinheiro wrote: > On 12/22/06, Leonardo Vilela Pinheiro <leopinheiro at gmail.com> wrote: >> How can I be sure if it is LKM or not? >> >> Today I've run chkrootkit and it gave me: >> >> Checking `lkm'... You have 179 process hidden for readdir command >> You have 179 process hidden for ps command >> chkproc: Warning: Possible LKM Trojan installed >> >> Checking `chkutmp'... The tty of the following user process(es) were >> not found >> in /var/run/utmp ! >> ! RUID PID TTY CMD >> ! root 3206 tty1 /sbin/mingetty tty1 >> ! root 3285 tty2 /sbin/mingetty tty2 >> ! root 3337 tty3 /sbin/mingetty tty3 >> ! root 3388 tty4 /sbin/mingetty tty4 >> ! root 3439 tty5 /sbin/mingetty tty5 >> >> Those hidden tty can be "su -" sessions that I have just started. The >> computer has just been restarted, and I have just opened those su >> sessions. >> >> There are also some "hidden files", all of them named .packlist and >> .exists. Everything else is fine. >> >> rkhunter looks fine. >> >> " rpm -Va kernel* " looks fine. >> >> Remote users access are being controlled through /etc/ssh/sshd_config >> in a user-host fashion. >> >> Thanks in advance. >> >> -- >> Vilela >> > > It is a Centos 4.4 box. > -- Lorenzo Martínez Rodríguez Consultor de seguridad informática