Here is a message from someone with the same surprise.
http://www.webservertalk.com/archive...-9-390056.html
A couple of the responces:
ROOTDIR is `/'
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
[root@spare chkrootkit-0.44]# ./chkproc -v
PID 1250: not in ps output
PID 1251: not in ps output
PID 1252: not in ps output
PID 1253: not in ps output
You have 4 process hidden for ps command
and then given the PID numbers
cd /proc/1250/ && cat cmdline
And get an idea of at least what the program says it is.
Another poster suggested that the 'clamav' program will cause this false
alarm.
Perhaps you could (after disconnected from the netork) stop the clamav program ( disable service? ) and reboot and then run the chkrootkit again.
Also, google for information on the LKM Trojan to find out how to detect it manually.
Does debian have the equivalent of
rpm --verify --package <PACKAGE_FILE> command to verify whether or not files have been changed?
your files against the source packages. Verifying the coreutills
--
p.s. Here is a webpage article on checking for root kits by scanning ports and using chkrootkit.
http://www.start-linux.com/articles/article_91.php