Ok, so what's the diff with a month ago? What do you have installed and running that wasn't running at the time?
If you where to run chkrootkit 3 times in a row, and you get aprox the same amount of LKM warnings, then there's three things you could do if you really want to find out.
- Check your system against your Aide/Samhain/tripwire database. Provided the db has not been tampered with and system calls to the checker binary aren't intercepted any file previously unaccounted for should show up. This doesn't get you the angle on the processes, but verifies (within some margin of error) if the system has been tampered with.
- Run cryogenic. If you trust me somehow, fetch the cryogenic-1.0-binary.i386.rpm
, else Google for "Dave Dittrich" or "Introducing Cryogenic" and you'll find the source. Compile it static on another box. Cryogenic saves /proc info for (nearly) all processes, so then you got a copy of what's in /proc/$PID and you can verify the md5/sha1sum of the saved exe with the binary.
- Boot Biatchux/FIRE and fire off another integrity checking run. In the event an LKM is introduced in the system that allows for hiding processes and dirs, hiding won't work if the kernel ain't running.
*I'm quite sure the three checks I mentioned (except for integrity) won't return positives, and your system is sane and it's caused by fast processes dying.
Still it won't hurt to know and practice some routines...