I recently saw the following in a chkrootkit report:
Feb 7th - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Checking earlier reports I see:
Jan 19th - Checking `lkm'... nothing detected Jan 21st - Checking `lkm'... nothing detected Jan 23rd - Checking `lkm'... nothing detected Jan 25th - Checking `lkm'... nothing detected Jan 29th - Checking `lkm'... nothing detected Jan 31st - Checking `lkm'... nothing detected Feb 1st - Checking `lkm'... nothing detected
Feb 3rd - Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed
Feb 5th - Checking `lkm'... nothing detected
So although the first warning appears on Feb 3rd it does not show on Feb 5th but re-appears on Feb 7th. Because of that I'm assuming (hoping?) it may be a false alarm. Well it does say 'Possible'!
I have only a standard dial-up connection and have PMFirewall installed and running when I'm connected to the internet. I run chkrootkit every other day.
What do you think chaps? (Chaps is a generic term which includes chapesses).
Barry Samuels