On Sunday 16 July 2006 15:54, Dave S wrote: > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > > On Sunday 16 July 2006 20:25, Dave S wrote: > > > HI, I have a potential security problem ... > > > > > > and err its not on gentoo, its on ubuntu but I am not getting any > > > response there & you guys are the most tech bunch I know - Thought I > > > would lay it on the table :) > > > > > > I just had an email from chkrootkit last night - > > > > > > --- > > > > > > The following suspicious files and directories were found: > > > > > > You have 3 process hidden for readdir command > > > You have 3 process hidden for ps command > > > chkproc: Warning: Possible LKM Trojan installed > > > > > > --- > > > > > > Running chkrootkit now and all is OK > > > > > > [EMAIL PROTECTED]:~# > > > [EMAIL PROTECTED]:~# chkrootkit | grep chkproc > > > Checking `lkm'... chkproc: nothing detected > > > [EMAIL PROTECTED]:~# > > > > > > I have even 'sudo install --reinstall chkrootkit' in case its binarys > > > have been modified (paranoid) > > > > if you installed using the tools of the system, it could be worthless, > > because compromised. Boot from a cd and check from the cd. > > I understand. Booted from knoppix 5.0.1, executed a > > 'chroot /mnt/hda1 chkrootkit' and a > 'chroot /mnt/hda1 rkhunter -c' > > - both scans brought back nothing. From what I have read the chkrootkit & > rkhunter binarys would have been from the CD and therefore untainted ? Am I > correct ? > > Are there any other checks I can do - re-installing the system is not my > preferred option :) > > Dave
Hi Dave, Just went through the same scare with an OLD linux server a few weeks ago. This "could" be a false positive... What you should do is run chkrootkit with verbose option turned on. Take the pids it show you and compare them to what's listed in /proc. Each running process has a pid and it's listed under /proc. In each pid listed under proc there's a /exe link that gives you the path to the program owning the pid. There a /status file that will give you the name of the program. There's other info there also. If there's any discrepancies between what's list in /proc and what ps tells you, you've been infected with LKM for sure. Naturally, you have to be there when chkrootkit complains... But don't stop here... You can also try running rootkit-hunter and compare the output. You can cp known good tools (in your case, ps) from a backup to your infected box and run it to get "true" information. I knew a co-worker that ran "tree" across a suspected infected box and found a number of hidden directories on it. It was indeed infected. Also, if this machine was running a firewall, look in the logs. If you've kept a running archive, hopefully spanning a week or two, you may be able to figure out when and where the attack came from. Hope that helps. Jerry -- gentoo-user@gentoo.org mailing list
