Your message dated Sun, 16 Oct 2005 14:58:28 +1000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#334023: perl: possible LKM Trojan infection
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Oct 2005 04:49:47 +0000
>From [EMAIL PROTECTED] Fri Oct 14 21:49:47 2005
Return-path: <[EMAIL PROTECTED]>
Received: from master.debian.org [146.82.138.7]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EQdzP-0003OD-00; Fri, 14 Oct 2005 21:49:47 -0700
Received: from pcp04394420pcs.nrockv01.md.comcast.net ([127.0.0.1])
[69.140.176.96]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1EQdzM-0001HK-00; Fri, 14 Oct 2005 23:49:45 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Marv Stodolsky <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: perl: possible LKM Trojan infection
X-Mailer: reportbug 3.2
Date: Sat, 15 Oct 2005 00:49:39 -0400
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-9.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
OUR_MTA_MSGID,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
Package: perl
Version: 5.8.7-3
Severity: important
# chkrootkit
reported a possible LKM Trojan infection of readdir which is part of the perl
package:
--
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
You have 3 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
--
# apt-get install perl procps
was performed, but chkrootkit gave the same possible LKM Trojan infection
report.
email - [EMAIL PROTECTED]
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages perl depends on:
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Libraries [
ii libgdbm3 1.8.3-2 GNU dbm database routines (runtime
ii perl-base 5.8.7-3 The Pathologically Eclectic Rubbis
ii perl-modules 5.8.7-3 Core Perl modules
-- no debconf information
---------------------------------------
Received: (at 334023-close) by bugs.debian.org; 16 Oct 2005 04:58:32 +0000
>From [EMAIL PROTECTED] Sat Oct 15 21:58:32 2005
Return-path: <[EMAIL PROTECTED]>
Received: from londo.c47.org [198.142.1.20] (mail)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ER0bQ-0004Zt-00; Sat, 15 Oct 2005 21:58:32 -0700
Received: from bod by londo.c47.org with local (Exim 3.36 #1 (Debian))
id 1ER0bM-0000qx-00; Sun, 16 Oct 2005 14:58:28 +1000
Date: Sun, 16 Oct 2005 14:58:28 +1000
From: Brendan O'Dea <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Bug#334023: perl: possible LKM Trojan infection
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
On Sat, Oct 15, 2005 at 03:01:57PM +0000, [EMAIL PROTECTED] wrote:
>RE: Err, what exactly does this have to do with perl?
>
># grep readdir /var/lib/dpkg/info/*.list
>/var/lib/dpkg/info/manpages-dev.list:/usr/share/man/man2/readdir.2.gz
>/var/lib/dpkg/info/manpages-dev.list:/usr/share/man/man3/readdir.3.gz
>/var/lib/dpkg/info/perl.list:/usr/lib/perl/5.8.7/auto/POSIX/readdir.al <<<perl
>
>PERL is the host package for readdir
readdir is a system call, not a program (man 2 readdir). POSIX
specifies an API to this system call (man 3 readdir). Perl provides a
POSIX API (man 3perl POSIX).
A "LKM Trojan" is a loadable kernel module which provides can hide
processes from a listing of /proc, and hence ps.
http://la-samhna.de/library/rootkits/list.html
It appears that chkrootkit has a program which attempts to determine if
processes have been hidden. This program opens /proc and uses readdir
(the system call, via the C library, not perl) to get the contents. If
processess exist, but were not returned by readdir it issues the warning
you saw.
>> On Sat, Oct 15, 2005 at 12:49:39AM -0400, Marv Stodolsky wrote:
>> >Checking `lkm'... You have 3 process hidden for readdir command
>> >You have 3 process hidden for ps command
>> >Warning: Possible LKM Trojan installed
This program is fairly racy and would appear to generate false positives
relatively frequently:
http://lists.debian.org/debian-security/2003/05/msg00317.html
You should have your machine as idle as possible when running the test.
--bod
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
