[rlug] RH9.up2dated+gnome.nautilus: chkrootkit suspecteaza lkm

[Corneliu Rudeanu]

Foarte pe scurt patesc asa:
Intru-un gnome, su -, ckkrootkit si-mi zice possible lkm trojan: you
have xx hidden processes for ps command.

Pe larg patesc asa:

# telinit 3
[....]
# cd chkrootkit
# ./chkproc 
<tacere>
# telinit 5

[login in gnome ca user chior, se porneste si nautilus-ul etc]

BELEA: cand rulea chkproc-ul (din chkrootkit) din nou, imi raporteaza
procese ascunse (vreo 7 sau chiar 20 in zilele bune).

Daca omor nautilusul (dupa ce ii scot respawn-ul din sessions etc),
chkrootkit e multumit.

Pasii urmati ca sa dau de cap:
rpm -Vf `which nautilus` -- e totul ok
md5sum `which nautilus` -- comparat cu alt sistem (al lui xcyborg) e ok

# ps -afuxw | grep [n]autilus
rudy      9145  0.0  1.5 99548 7728 ?        S    Jun10   0:03 nautilus
--sm-config-prefix /nautilus-r0nhF4/ --sm-client-id
113ee77004000105200222300000028430002 --screen 0 --no-default-window
[doar 1 linie!]

Fortza bruta insa arata asa:

# cd /proc; 
        for i in `seq 1 33000`; do 
                test -f $i/cmdline 
                        && (echo -n $i ' ' ;cat $i/cmdline);echo; 
        done | grep [n]autilus

9145 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9160 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9161 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9165 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9166 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9167 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9168 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9169 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9170 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window
9171 
nautilus--sm-config-prefix/nautilus-r0nhF4/--sm-client-id113ee77004000105200222300000028430002--screen0--no-default-window

Cine incearca o sa vada ceva aparent ok in /proc/xxx/ (unde xxx e din e
unul dintre cele care nu apar la ps):
- exe duce-n /usr/bin/nautilus, 
- fd/1 in ~/.xsession-errors 
- si interesant, un fd duce asa:
lr-x------    1 rudy     rudy           64 Jun 11 01:26 16 ->
/proc/9145/mounts
(9145 fiind ala vizibil la ps)

Treaba a fost reprodusa si pe alt RH9, insa google, redhat-list etc  nu
indica vreo belea. Clar ca nu-s primul care ruleaza chkrootkit intr-un
gnome-terminal pe rh9, dar nu vad ce-mi scapa.

Treaba cu reprodusul s-a intamplat chiar pe un sistem care manca kde:
doar lansand un nautilus, chkrootkit a inceput sa tipe.

Poate aberez: E o moda in kernelul lui redhat sa ascunda fostele
pthreads in felul asta sau cum e? 

Multumesc anticipat,
rudy

PS confirm ca ma astept reply-uri cu 'reinstaleaza urgent de pe cd cu
md5sum verificat etc'. Aleg totusi sa ma lamuresc, in cel mai rau caz
prin 'noi toti restul cu rh9 care rulam nautilus nu patim asta'.