Re: LKM
I'm not running nautilus... however I listing port 37021 in tiger return file. When this port has been used, I did see my ssh conection in the moment. I'm running portsentry and when I run tiger, it was disable. I wanna only understand why do it happen? Em Seg, 2004-01-26 às 18:38, Yannick Roehlly escreveu: Thiago Ribeiro [EMAIL PROTECTED] writes: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? Are you runing nautilus? Apparently, some of the nautilus processes are hidden (I don't know why) and thus make chkrootkit complain about possible LKM infection. Try a: $ chkrootkit -x lkm Yannick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LKM
On Monday, 2004-01-26 at 21:38:54 +0100, Yannick Roehlly wrote: Thiago Ribeiro [EMAIL PROTECTED] writes: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? Are you runing nautilus? Apparently, some of the nautilus processes are hidden (I don't know why) and thus make chkrootkit complain about possible LKM infection. Try a: $ chkrootkit -x lkm chkrootkit has an impedance mismatch with ps. This has been discussed before. antalya:~# chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / You have 4 process hidden for ps command ps -ef lists these: root 0 1 0 Jan19 ?00:00:00 [ksoftirqd_CPU0] root 0 1 0 Jan19 ?00:03:40 [kswapd] root 0 1 0 Jan19 ?00:00:00 [bdflush] root 0 1 0 Jan19 ?00:00:06 [kupdated] So ps does not give chkrootkit a PID, but /proc has those processes. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chrootkit and false LKM positive
On Tuesday, 2004-01-27 at 12:19:41 +0100, Yannick Roehlly wrote: The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Not exactly true. This is also in recent 2.4.x kernels. See my other mail. I'm running 2.4.23. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chrootkit and false LKM positive
Le mar 27/01/2004 à 13:34, Lupe Christoph a écrit : On Tuesday, 2004-01-27 at 12:19:41 +0100, Yannick Roehlly wrote: The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Not exactly true. This is also in recent 2.4.x kernels. See my other mail. I'm running 2.4.23. I had false positive as well with busy servers running Exim (and on 2.4 kernels) Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chrootkit and false LKM positive
Hi! The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Yannick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chrootkit and false LKM positive
thanks.. Em Ter, 2004-01-27 às 09:19, Yannick Roehlly escreveu: Hi! The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Yannick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LKM
On Mon, Jan 26, 2004 at 02:36:39PM -0500, Greg Folkert wrote: When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed (...) Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. I believe chkrootkit is to blame here, the LKM check is prone to a lot of false positives in sid. I haven't been able to pinpoint what causes this, unfortunately it comes (NEW) and goes (OLD) so it's not cleaned by Tiger's do not send me stuff I already know about mechanism. There are some know false positives in chkrookit [1] and given the way it checks for some of the rookits it's bound to fail sometimes, also notice that there are know issues with the latest kernel (2.6) and glibc (some processes will not show up no matter what). Also, nautilus and mozilla-firebird seem to cause these false positives (as reported in bug #222179) It would be great if chkrootkit would detail more in the output message what hidden process leads him to believe there is a LKM so that these could be filtered through Tiger ignore mechanism... Regards Javi [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=chkrootkit signature.asc Description: Digital signature
Re: LKM
I'm not running nautilus... however I listing port 37021 in tiger return file. When this port has been used, I did see my ssh conection in the moment. I'm running portsentry and when I run tiger, it was disable. I wanna only understand why do it happen? Em Seg, 2004-01-26 às 18:38, Yannick Roehlly escreveu: Thiago Ribeiro [EMAIL PROTECTED] writes: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? Are you runing nautilus? Apparently, some of the nautilus processes are hidden (I don't know why) and thus make chkrootkit complain about possible LKM infection. Try a: $ chkrootkit -x lkm Yannick
chrootkit and false LKM positive
Hi! The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Yannick
Re: chrootkit and false LKM positive
thanks.. Em Ter, 2004-01-27 às 09:19, Yannick Roehlly escreveu: Hi! The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Yannick
Re: LKM
On Monday, 2004-01-26 at 21:38:54 +0100, Yannick Roehlly wrote: Thiago Ribeiro [EMAIL PROTECTED] writes: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? Are you runing nautilus? Apparently, some of the nautilus processes are hidden (I don't know why) and thus make chkrootkit complain about possible LKM infection. Try a: $ chkrootkit -x lkm chkrootkit has an impedance mismatch with ps. This has been discussed before. antalya:~# chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / You have 4 process hidden for ps command ps -ef lists these: root 0 1 0 Jan19 ?00:00:00 [ksoftirqd_CPU0] root 0 1 0 Jan19 ?00:03:40 [kswapd] root 0 1 0 Jan19 ?00:00:00 [bdflush] root 0 1 0 Jan19 ?00:00:06 [kupdated] So ps does not give chkrootkit a PID, but /proc has those processes. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: chrootkit and false LKM positive
On Tuesday, 2004-01-27 at 12:19:41 +0100, Yannick Roehlly wrote: The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Not exactly true. This is also in recent 2.4.x kernels. See my other mail. I'm running 2.4.23. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: chrootkit and false LKM positive
Le mar 27/01/2004 à 13:34, Lupe Christoph a écrit : On Tuesday, 2004-01-27 at 12:19:41 +0100, Yannick Roehlly wrote: The false LKM positives seem to result from a bug in chkrootkit which is not aware of the new threading model of 2.6 kernel. See bug #222179. Not exactly true. This is also in recent 2.4.x kernels. See my other mail. I'm running 2.4.23. I had false positive as well with busy servers running Exim (and on 2.4 kernels) Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: LKM
On Mon, Jan 26, 2004 at 02:36:39PM -0500, Greg Folkert wrote: When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed (...) Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. I believe chkrootkit is to blame here, the LKM check is prone to a lot of false positives in sid. I haven't been able to pinpoint what causes this, unfortunately it comes (NEW) and goes (OLD) so it's not cleaned by Tiger's do not send me stuff I already know about mechanism. There are some know false positives in chkrookit [1] and given the way it checks for some of the rookits it's bound to fail sometimes, also notice that there are know issues with the latest kernel (2.6) and glibc (some processes will not show up no matter what). Also, nautilus and mozilla-firebird seem to cause these false positives (as reported in bug #222179) It would be great if chkrootkit would detail more in the output message what hidden process leads him to believe there is a LKM so that these could be filtered through Tiger ignore mechanism... Regards Javi [1] http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=chkrootkit signature.asc Description: Digital signature
Re: LKM
On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: LKM
Thiago Ribeiro [EMAIL PROTECTED] writes: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? Are you runing nautilus? Apparently, some of the nautilus processes are hidden (I don't know why) and thus make chkrootkit complain about possible LKM infection. Try a: $ chkrootkit -x lkm Yannick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
LKM
Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this?
Re: LKM
On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: chkrootkit and lkm
This one time, at band camp, Michael Parkinson said: Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. This is a known bug in chkrootkit - there is a race condition in the code such that on a relatively busy system (or a sluggish one), there is a difference in the ouput because of time lag - first it checks ps, then it checks /proc, and if they disagree, it reports. Can this be fixed? Hopefully. It is irksome, but not the end of the world. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: chkrootkit and lkm
This one time, at band camp, Michael Parkinson said: Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. This is a known bug in chkrootkit - there is a race condition in the code such that on a relatively busy system (or a sluggish one), there is a difference in the ouput because of time lag - first it checks ps, then it checks /proc, and if they disagree, it reports. Can this be fixed? Hopefully. It is irksome, but not the end of the world. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpdD7XzO6rNq.pgp Description: PGP signature
Re: chkrootkit and lkm
Am Di, den 25.11.2003 schrieb Johannes Graumann um 21:18: I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed The same here (debian_sid): [EMAIL PROTECTED]:~# chkrootkit lkm ROOTDIR is `/' Checking `lkm'... You have 5 process hidden for ps command Warning: Possible LKM Trojan installed [EMAIL PROTECTED]:~# Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? I do not think that it is a problem due to the compromised servers, because I noticed this on machines, which had been not updated since these serverhacks. I think this is a bug in the chkrootkit-package, although it has not been reported on the buglist. But please be carefull, it is only my opinion, I will not guarantee that the hack is not the cause of the problem ;) Greetz, Andre -- BOFH-excuse of the day: Traceroute says that there is a routing problem in the backbone. It's not our problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
In article [EMAIL PROTECTED] you wrote: Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? it is a ps/kernel bug, try top. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
I'm not quite sure if i'm right .. but isn't there a kernel bug displaying some processes with PID 0 in ps or top. maybe lkm is using this.. just a thought greets Werner Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I signature.asc Description: This is a digitally signed message part
Re: chkrootkit and lkm
Am Di, den 25.11.2003 schrieb Johannes Graumann um 21:18: I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed The same here (debian_sid): [EMAIL PROTECTED]:~# chkrootkit lkm ROOTDIR is `/' Checking `lkm'... You have 5 process hidden for ps command Warning: Possible LKM Trojan installed [EMAIL PROTECTED]:~# Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? I do not think that it is a problem due to the compromised servers, because I noticed this on machines, which had been not updated since these serverhacks. I think this is a bug in the chkrootkit-package, although it has not been reported on the buglist. But please be carefull, it is only my opinion, I will not guarantee that the hack is not the cause of the problem ;) Greetz, Andre -- BOFH-excuse of the day: Traceroute says that there is a routing problem in the backbone. It's not our problem.
Re: chkrootkit and lkm
In article [EMAIL PROTECTED] you wrote: Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? it is a ps/kernel bug, try top. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
Re: chkrootkit and lkm
I'm not quite sure if i'm right .. but isn't there a kernel bug displaying some processes with PID 0 in ps or top. maybe lkm is using this.. just a thought greets Werner Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I signature.asc Description: This is a digitally signed message part
RE: chkrootkit and lkm
Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. Can this be fixed? Mike Le mer 26/11/2003 à 01:17, Michael Bordignon a écrit : I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Do you stop the services before running chkrootkit? It can append that chkrootkit report false positive on machine still running services. I had the experience with exim. When I stop it I had no false positive... Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: chkrootkit and lkm
Le mer 26/11/2003 à 01:17, Michael Bordignon a écrit : I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Do you stop the services before running chkrootkit? It can append that chkrootkit report false positive on machine still running services. I had the experience with exim. When I stop it I had no false positive... Michael
RE: chkrootkit and lkm
Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. Can this be fixed? Mike Le mer 26/11/2003 à 01:17, Michael Bordignon a écrit : I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Do you stop the services before running chkrootkit? It can append that chkrootkit report false positive on machine still running services. I had the experience with exim. When I stop it I had no false positive... Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit and lkm
Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
Thanks to everybody who was taking the time to sooth the novice ... ;0) Joh On Tue, 25 Nov 2003 12:18:35 -0800 Johannes Graumann [EMAIL PROTECTED] wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
On Tue, Nov 25, 2003 at 06:42:21PM -0600, Adam Heath scribbled: [snip] are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Are you running 2.6, or the backported TLS patches on 2.4? it seems it's not only there. I think it's also the -aa kernels which show this behavior (that would include 2.4.23rcX). marek signature.asc Description: Digital signature
Re: chkrootkit and lkm
On Tue, 2003-11-25 at 20:18, Johannes Graumann wrote: [...] I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed [...] I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? Yes. Well, rather to do with how `ps' handles the processes in question. The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? It's nothing at all to do with the compromise, and everything to do with URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525 (`ps shows incorrect pid value') and URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278 (`chkrootkit: doesn't work too well with kernel threads'). (FWIW, the bugs were filed 31 and 33 days ago, against procps and chkrootkit respectively, and URL:http://bugs.debian.org/{procps,chkrootkit} is currently operational, although lacking a record of activity since late last week.) Your machine is behaving no more strangely than thousands of other sarge/sid boxes. :-) Adam
Re: chkrootkit and lkm
On Tue, Nov 25, 2003 at 12:18:35PM -0800, Johannes Graumann wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed (...) Any comment is highly appreciated. This is known bug in chkrootkit, it does not understand processes with pid '0' (kernel threads) which are not listed under /proc and emits this alert. As a matter of fact it was reported previous to the compromise. Please check the following bugs for more information: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278 HTH Javi signature.asc Description: Digital signature
Re: chkrootkit and lkm
Thanks to everybody who was taking the time to sooth the novice ... ;0) Joh On Tue, 25 Nov 2003 12:18:35 -0800 Johannes Graumann [EMAIL PROTECTED] wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
On Tue, Nov 25, 2003 at 06:42:21PM -0600, Adam Heath scribbled: [snip] are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Are you running 2.6, or the backported TLS patches on 2.4? it seems it's not only there. I think it's also the -aa kernels which show this behavior (that would include 2.4.23rcX). marek signature.asc Description: Digital signature
chkrootkit and lkm
Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh
RE: chkrootkit and lkm
I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Michael
Re: chkrootkit and lkm
On Tue, 25 Nov 2003, Johannes Graumann wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Are you running 2.6, or the backported TLS patches on 2.4?
Re: chkrootkit and LKM
On Mon, 2003-05-26 at 23:27, IC0N wrote: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE If a process is created between the output of ps and the readdir then you will see this sort of output from chkrootkit. However, run chkrootkit several times and if the hidden process number is the same each time then you should be more suspicious. If you consistently get the same hidden process number then try changing into its directory in /proc. Eg. if process 26262 is hidden then try accessing the directory /proc/26262 If the directory exists then you may be dealing with a lkm trojan. Regards. Mark. signature.asc Description: This is a digitally signed message part
chkrootkit and LKM
Bonjour as Jacques Lavignotte [EMAIL PROTECTED] and Jens Schuessler [EMAIL PROTECTED] posted in their mails at 7th of March 2003 i have exactly the same alert message using chkrootkit: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE is there a plausible reason why there could be a hidden prozess? hidden even for root? even if LKM is not installed? i did not find any possible reason. i only know that i can also reproduce the alert by installing debian on a brand new harddisk. i used debian woody 3.0 with kernel 2.2 CD Image of 11th of december 2002. greetings icon
Re: chkrootkit and LKM
the prog compare the proc list in /proc and the output of command 'ps'. So, when the chkrootkit will list in /proc, and then get an output from ps, the time between two operation is larger enough to create others process (or die/kill)... that's why this check is not VERY reliable. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Mon, 26 May 2003, IC0N wrote: Bonjour as Jacques Lavignotte [EMAIL PROTECTED] and Jens Schuessler [EMAIL PROTECTED] posted in their mails at 7th of March 2003 i have exactly the same alert message using chkrootkit: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE is there a plausible reason why there could be a hidden prozess? hidden even for root? even if LKM is not installed? i did not find any possible reason. i only know that i can also reproduce the alert by installing debian on a brand new harddisk. i used debian woody 3.0 with kernel 2.2 CD Image of 11th of december 2002. greetings icon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit and LKM
Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? Thanks in adavance Jacques -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and LKM
* Jacques Lav!gnotte [EMAIL PROTECTED] [07-03-03 14:05]: Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? I had this too. Search on google for chkrootkit lkm. Nothing to worry about. Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit and LKM
Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? Thanks in adavance Jacques