i just did a chkrootkit on my web server and found:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
i've looked through the logs in /var a little but haven't seen anything that jumps out as really suspicious. what should i do to check this out more and clean it?
okay, false alarm i think.
i manually compared the contents of the /proc directory with ps ax, and it seems that the processes that are showing up as "hidden" are things like kswapd, ksoftirq, etc. maybe debian boxes are more prone to lkm false alarms, because seaching LQ it seems to be fairly common. sure is a good way to scare a security n00b.