I installed Debian etch the other day and installed Guarddog. I just ran chkrootkit and it said it found "Possible LKM Trojan installed".

Can someone tell me a Debian etch program to eliminate it?

Thanks for your help.

If there's actually a trojan there, rootkithunter might get rid of it. You should be aware that *if* in fact it is a trojan, it may have already corrupted other software/binaries. If this is a fresh install, the chances of it being a trojan are less. There are after all false positives, depending on the OS and configuration.
Run rootkithunter (google 'rkhunter') and/or another rootkit scanner and see if it comes up with the same findings. If you are convinced it is a trojan, it may be wise to reinstall fresh if possible, to eliminate the small chance that the system is compromised, and as soon as the install is done, run and configure your rootkit scanner(s) so you have a baseline to compare to on future scans.
I still get a 'possible rootkit' report from one place on my system, but it isn't a trojan.
Finally, you might just try recompiling the kernel modules after a 'mrproper' and see if the issue is still there, but this is not a sure cure, if it *is* a trojan.

I just ran rthunter and it came back clean so it probably is a false positive.

Thanks for your help.

A few corrections and additions if I may...

If there's actually a trojan there, rootkithunter might get rid of it.
No, RKH won't. Chkrootkit, Rootkit Hunter and OSSEC.* are (AFAIK) *passive* audit tools. It means they only pick up symptoms after the event ocurred. They're not "cleaners".


If this is a fresh install, the chances of it being a trojan are less. There are after all false positives, depending on the OS and configuration.
With all due respect, but next time it would be better to *explain* why. The first thing to resolve a question like this would be to look at the Chkrootkit FAQ. I *know* "chkproc" FP's are mentioned there. Or if you would search this forum you would have seen this question has been answered before as well. You shouldn't run another tool immediately after the alert but *understand* what's happening and why (short-lived processes).



Run rootkithunter (google 'rkhunter') and/or another rootkit scanner and see if it comes up with the same findings. If you are convinced it is a trojan, it may be wise to reinstall fresh if possible, to eliminate the small chance that the system is compromised, and as soon as the install is done, run and configure your rootkit scanner(s) so you have a baseline to compare to on future scans.
RKH is at rkhunter.sourceforge.net. There aren't that many other rootkit scanners that are actively developed, supported and maintained, only ones I know are Chkrootkit, Rootkit Hunter, OSSEC and Zeppoo. You should raise the firewall and kill all *services* after a fresh install and run audit tools like Tiger and a *file integrity checker* (Aide, Samhain, etc, etc) instead to get a baseline.


I still get a 'possible rootkit' report from one place on my system, but it isn't a trojan.
Then figure out what it is and report it to the maintainers so they can fix it.


Finally, you might just try recompiling the kernel modules after a 'mrproper' and see if the issue is still there, but this is not a sure cure, if it *is* a trojan.
The most efficient way would be to boot a Live CD and check.
Of course this doesn't go well with boxen in colo ;-p