On Sunday 16 July 2006 21:52, dnlt0hn5ntzhbqkv51 wrote: > On Sun, 16 Jul 2006 15:54:18 -0400, Dave S <[EMAIL PROTECTED]> wrote: > > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > >> On Sunday 16 July 2006 20:25, Dave S wrote: > >> > HI, I have a potential security problem ... > >> > > >> > and err its not on gentoo, its on ubuntu but I am not getting any > >> > response there & you guys are the most tech bunch I know - Thought I > >> > would lay it on the table :) > >> > > >> > I just had an email from chkrootkit last night - > >> > > >> > --- > >> > > >> > The following suspicious files and directories were found: > >> > > >> > You have 3 process hidden for readdir command > >> > You have 3 process hidden for ps command > >> > chkproc: Warning: Possible LKM Trojan installed > >> > > >> > --- > >> > > >> > Running chkrootkit now and all is OK > >> > > >> > [EMAIL PROTECTED]:~# > >> > [EMAIL PROTECTED]:~# chkrootkit | grep chkproc > >> > Checking `lkm'... chkproc: nothing detected > >> > [EMAIL PROTECTED]:~# > >> > > >> > I have even 'sudo install --reinstall chkrootkit' in case its binarys > >> > have been modified (paranoid) > >> > >> if you installed using the tools of the system, it could be worthless, > >> because compromised. Boot from a cd and check from the cd. > > > > I understand. Booted from knoppix 5.0.1, executed a > > > > 'chroot /mnt/hda1 chkrootkit' and a > > 'chroot /mnt/hda1 rkhunter -c' > > > > - both scans brought back nothing. From what I have read the chkrootkit & > > rkhunter binarys would have been from the CD and therefore untainted ? > > Am I > > correct ? > > > > Are there any other checks I can do - re-installing the system is not my > > preferred option :) > > > > Dave > > I'm a newbie, so discount this appropriately. > > 1. IIUC, running rkhunter/chkrootkit from knoppix simply checks the > knoppix cd. > 2. You want second/third opinions. IIWU, > i. I'd scan the box with a Trojan signature scanner - e.g. fprotect, > AntiVir, etc. > from Knoppix - first assuring that you have current signatures. > ii. I'd reemerge/recompile the kernel WITHOUT modules or module > support, and clear out your usr/lib/modules (though IIUC, this > can be foiled). > iii. I'd try zeppoo. > 3. Try to figure out how you got it. e.g. you installed software from an > unreliable source; your privileges are screwed up; you have an unpatched > server(s) running; etc.
I am pretty picky about my software - have not messed with permissions & its a desktop machine not running any external services. > > Maybe.... you could find the both the vector and the lkm - but > understanding that the only real solution to a > rootkit is restoring from a clean backup, or rebuilding :-( ... gulp ... On digging around and listening to you guys I am going to go with a false +ve. My clue came when I discovered how chkrootkit detected the problem ... How accurate is chkproc? If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious. That fits in with the fact that chkrootkit & rkhunter now report clean (& also fits in with someone tinkering from the inside !) I will keep a slightly suspicious eye on the box from now on :) Cheers Dave -- gentoo-user@gentoo.org mailing list
