В общем то вот кусок логов...
chkrootkit:
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... fxp0 is not promisc
Checking `w55808'... not infected
Checking `wted'... 1 deletion(s) between Tue Feb 10 23:44:48 2004 and Tue Feb 10 23:47:05 2004
nothing deleted
Checking `scalper'... not infected
Вот результат проверки (http://www.multik.ru/linux/bulgar2/)
possibly hidden process found. pid: 6658
CMD: /usr/local/libexec/mysqld--basedir=/usr/local--datadir=/home/mysql--user=mysql--pid-file=/home/mysql/mysql.pid
possibly hidden process found. pid: 6694
CMD: /usr/local/libexec/mysqld--basedir=/usr/local--datadir=/home/mysql--user=mysql--pid-file=/home/mysql/mysql.pid
possibly hidden process found. pid: 6902
CMD: /usr/local/libexec/mysqld--basedir=/usr/local--datadir=/home/mysql--user=mysql--pid-file=/home/mysql/mysql.pid
Вот смотрю...
[root@eltima ~] # ps ax | grep 6902
root 22217 0.0 0.1 1036 284 p0 R+ 9:16AM 0:00.00 grep 6902
mysql 6902 0.0 6.6 322676 34088 ?? IN 12:07PM 0:00.17 /usr/local/libexec/mysqld --basedir=/usr/local --datadir=/home/mysql --user=m
Т.е. процесс виден...
Дерево процессов
-+= 00001 root /sbin/init --
|--= 00024 root adjkerntz -i
|--= 00124 root /usr/sbin/syslogd -ss
|--= 00127 root /usr/sbin/named
|--= 00136 root /usr/sbin/inetd -wW -s 12 -l
|--= 00138 root /usr/sbin/cron
|-+= 00140 root /usr/sbin/sshd
| \-+- 22193 root sshd: flusher [priv] (sshd)
| \-+- 22195 flusher sshd: flusher@ttyp0 (sshd)
| \-+= 22196 flusher -bash (bash)
| \-+= 22197 root -su (bash)
| |-+= 22248 root pstree
| | \-+- 22250 root sh -c ps -axwwo user,pid,ppid,pgid,command
| | \--- 22251 root ps -axwwo user,pid,ppid,pgid,command
| \--- 22249 root less
|--= 00143 root sendmail: accepting connections (sendmail)
|--= 00146 smmsp sendmail: Queue runner@00:30:00 for
|-+= 00170 root /usr/local/sbin/httpd -k start
| |--- 00235 www /usr/local/sbin/httpd -k start
| |--- 00236 www /usr/local/sbin/httpd -k start
| | ...
| \--- 12746 www /usr/local/sbin/httpd -k start
|--= 00211 root /usr/libexec/getty Pc ttyv0
|--= 00212 root /usr/libexec/getty Pc ttyv1
|--= 00213 root /usr/libexec/getty Pc ttyv2
|--= 00214 root /usr/libexec/getty Pc ttyv3
|--= 00215 root /usr/libexec/getty Pc ttyv4
|--= 00216 root /usr/libexec/getty elogin ttyv5
\-+- 00174 root /bin/sh /usr/local/bin/mysqld_safe --user=mysql
\-+- 00224 mysql /usr/local/libexec/mysqld --basedir=/usr/local
\-+- 00225 mysql /usr/local/libexec/mysqld --basedir=/usr/local
|--- 00226 mysql /usr/local/libexec/mysqld --basedir=/usr/local
| ...
|--- 06902 mysql /usr/local/libexec/mysqld --basedir=/usr/local
| ...
|--- 21542 mysql /usr/local/libexec/mysqld --basedir=/usr/local
\--- 21897 mysql /usr/local/libexec/mysqld --basedir=/usr/local
Что тогда это такое? И почему всплывает? Неправильно собран mysql?
Вопрос номер 2-а.. Как сказать чтоб строчка
Checking `wted'... 1 deletion(s) between Tue Feb 10 23:44:48 2004 and Tue Feb 10 23:47:05 2004
не появлялась? Я знаю, что редактировался файл...
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
14-Фев-04, 18:29 (MSK)
