Package: chkrootkit Version: 0.44-2 When processes with long command lines (>1024 byte) are running then chkrootkit may have false positives for LKM Trojan. The reason is that chkproc crashes with "OooPS, not expected 123456789 value".
The bug can be reproduced by running, e.g., xmessage `perl -e 'print "123456789 " x 150'` (just to have a process with long command line) and then running chkrootkit. The bug can be found in the source chkproc.c lines 164-183 while (fgets(buf, MAX_BUF, ps)) { p = buf; #if defined(__sun) while (isspace(*p)) /* Skip spaces */ p++; #endif while (!isspace(*p)) /* Skip User */ p++; while (isspace(*p)) /* Skip spaces */ p++; /* printf(">>%s<<\n", p); /* -- DEBUG */ ret = atol(p); if ( ret < 0 || ret > MAX_PROCESSES ) { fprintf (stderr, " OooPS, not expected %d value\n", ret); exit (2); } psproc[ret] = 1; } This loop reads the output of a ps command. But this fails if ps outputs a line longer than 1024 (=MAX_BUF) bytes. When processing a long line, fgets first returns the first 1024 bytes of the line and then the following parts. But the loop body takes the continued line for a new line of the ps output. If, as in the given example, the commandline contains words starting with numbers then these numbers may be taken as process ids. Instead, when processing long lines, it must be checked if the whole line has already been read before the next loop starts. Hope that helped... Ingo. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]