gewb Posted November 27, 2002 Report Share Posted November 27, 2002 Help! My 9.0 has been infected with Copyright 1193. The file infected is in "/proc" file name "kcore" (looks to be a crash dump file, 267meg in size). The file will not allow deletion or changing priviledges. What is the "kcore" file? Does the system need it? How can I delete it? Note that I have recently update my system from two sources: Mandrake update (I forgot what mirror) and Ximian Redcarpet update. I have not installed any other software EXCEPT the AV software that found the infection. Regards, Linux-newbie NOSPAMgewb@att.net (remove NOSPAM) Quote Link to comment Share on other sites More sharing options...
DragonMage Posted November 27, 2002 Report Share Posted November 27, 2002 I think your antivirus is screwed up. If you check the kcore file using ls -al kcore, you see that it is updated every minute. I have a feeling it is something very important to kde, maybe something like a swap file or memory mapping perhaps? Do you have 256 mb of memory? Quote Link to comment Share on other sites More sharing options...
Guest anon Posted November 27, 2002 Report Share Posted November 27, 2002 I think DragonMage is correct. Besides a quick check on that virus says: Platform: PC/MS-DOS Reported to infect .COM files incl COMMAND.COM, and load itself into RAM and remain resident, and directly or indirectly corrupt file linkages. Quote Link to comment Share on other sites More sharing options...
theYinYeti Posted November 27, 2002 Report Share Posted November 27, 2002 /proc/kcore is a kernel working file. Don't touch it. Don't worry about it. It is not actually the size it seems to be. Aside from that, I don't know anything else. It is not (cannot be?) corrupted, else your system would probably not run anymore. Yves. Quote Link to comment Share on other sites More sharing options...
Cannonfodder Posted November 27, 2002 Report Share Posted November 27, 2002 gewb, another to consider is that you should have a clean backup so if your really were infected, you can restore your partitions from the backup Quote Link to comment Share on other sites More sharing options...
MottS Posted November 27, 2002 Report Share Posted November 27, 2002 kcore This file represents the physical memory of the system and is stored in the core file format. With this pseudo-file, and an unstripped kernel (/usr/src/linux/tools/zSystem) binary, GDB can be used to examine the current state of any kernel data structures. The total length of the file is the size of physical memory (RAM) plus 4KB. For more reading: http://www.mandrakeuser.org/mub/viewtopic....ic=6726&forum=5 Also, even if you think that this file is big, it is not! ..like the rest of the /proc directory. Those files are not real actually. Look at that: [root@localhost gd]# du -sh /proc/kcore0 /proc/kcore [root@localhost gd]# du -sh /proc 0 /proc And you CAN'T actually delete kcore. Try! you'll see. Just reboot and with Konq (or Nautilus) right clic kcore and select 'properties'. The file will be exactly the size of your memory. When you shutdown your computer, the file is deleted and when you restart the file is rebuilded. About Copyright 1193, I have no idea MOttS Quote Link to comment Share on other sites More sharing options...
gewb Posted November 27, 2002 Author Report Share Posted November 27, 2002 Thanks to all who responded. I had a terrible night of sleep thinking about this. I've been a Winblows user since Winblows 286 (1989) and NEVER had an infection so you can imagine how upset I was thinking my 2 year Linux record had ended! Given the appearant nature of the kcore file, I think the virus definition list may have been loaded into it - thus, when I ran a system scan it showed up as infected. I'll not worry about it and I'll drop a line to the programer. Thanks again to everyone! Regards, Linux-newbie Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.