Re: chkrootkit and lkm
This one time, at band camp, Michael Parkinson said: Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. This is a known bug in chkrootkit - there is a race condition in the code such that on a relatively busy system (or a sluggish one), there is a difference in the ouput because of time lag - first it checks ps, then it checks /proc, and if they disagree, it reports. Can this be fixed? Hopefully. It is irksome, but not the end of the world. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: chkrootkit and lkm
This one time, at band camp, Michael Parkinson said: Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. This is a known bug in chkrootkit - there is a race condition in the code such that on a relatively busy system (or a sluggish one), there is a difference in the ouput because of time lag - first it checks ps, then it checks /proc, and if they disagree, it reports. Can this be fixed? Hopefully. It is irksome, but not the end of the world. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpdD7XzO6rNq.pgp Description: PGP signature
Re: chkrootkit and lkm
Am Di, den 25.11.2003 schrieb Johannes Graumann um 21:18: I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed The same here (debian_sid): [EMAIL PROTECTED]:~# chkrootkit lkm ROOTDIR is `/' Checking `lkm'... You have 5 process hidden for ps command Warning: Possible LKM Trojan installed [EMAIL PROTECTED]:~# Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? I do not think that it is a problem due to the compromised servers, because I noticed this on machines, which had been not updated since these serverhacks. I think this is a bug in the chkrootkit-package, although it has not been reported on the buglist. But please be carefull, it is only my opinion, I will not guarantee that the hack is not the cause of the problem ;) Greetz, Andre -- BOFH-excuse of the day: Traceroute says that there is a routing problem in the backbone. It's not our problem. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
In article [EMAIL PROTECTED] you wrote: Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? it is a ps/kernel bug, try top. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
I'm not quite sure if i'm right .. but isn't there a kernel bug displaying some processes with PID 0 in ps or top. maybe lkm is using this.. just a thought greets Werner Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I signature.asc Description: This is a digitally signed message part
Re: chkrootkit and lkm
Am Di, den 25.11.2003 schrieb Johannes Graumann um 21:18: I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed The same here (debian_sid): [EMAIL PROTECTED]:~# chkrootkit lkm ROOTDIR is `/' Checking `lkm'... You have 5 process hidden for ps command Warning: Possible LKM Trojan installed [EMAIL PROTECTED]:~# Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? I do not think that it is a problem due to the compromised servers, because I noticed this on machines, which had been not updated since these serverhacks. I think this is a bug in the chkrootkit-package, although it has not been reported on the buglist. But please be carefull, it is only my opinion, I will not guarantee that the hack is not the cause of the problem ;) Greetz, Andre -- BOFH-excuse of the day: Traceroute says that there is a routing problem in the backbone. It's not our problem.
Re: chkrootkit and lkm
In article [EMAIL PROTECTED] you wrote: Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? it is a ps/kernel bug, try top. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
Re: chkrootkit and lkm
I'm not quite sure if i'm right .. but isn't there a kernel bug displaying some processes with PID 0 in ps or top. maybe lkm is using this.. just a thought greets Werner Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I signature.asc Description: This is a digitally signed message part
RE: chkrootkit and lkm
Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. Can this be fixed? Mike Le mer 26/11/2003 à 01:17, Michael Bordignon a écrit : I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Do you stop the services before running chkrootkit? It can append that chkrootkit report false positive on machine still running services. I had the experience with exim. When I stop it I had no false positive... Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: chkrootkit and lkm
Le mer 26/11/2003 à 01:17, Michael Bordignon a écrit : I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Do you stop the services before running chkrootkit? It can append that chkrootkit report false positive on machine still running services. I had the experience with exim. When I stop it I had no false positive... Michael
RE: chkrootkit and lkm
Umm, I have the same problem. If I kill Exim and Spamassassin no hidden processes reported. Under normal load sometimes get 1-7 hidden processes. Was is a state of panic but it does appear that Exim and Spamassassin combined do create false positives. Can this be fixed? Mike Le mer 26/11/2003 à 01:17, Michael Bordignon a écrit : I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Do you stop the services before running chkrootkit? It can append that chkrootkit report false positive on machine still running services. I had the experience with exim. When I stop it I had no false positive... Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit and lkm
Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
Thanks to everybody who was taking the time to sooth the novice ... ;0) Joh On Tue, 25 Nov 2003 12:18:35 -0800 Johannes Graumann [EMAIL PROTECTED] wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
On Tue, Nov 25, 2003 at 06:42:21PM -0600, Adam Heath scribbled: [snip] are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Are you running 2.6, or the backported TLS patches on 2.4? it seems it's not only there. I think it's also the -aa kernels which show this behavior (that would include 2.4.23rcX). marek signature.asc Description: Digital signature
Re: chkrootkit and lkm
On Tue, 2003-11-25 at 20:18, Johannes Graumann wrote:
[...]
I was just running 'chkrootkit' and came across this warning:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
[...]
I then went ahead and manually checked the output of 'ls -a /proc'
against that of 'ps -A' and found out, that there are 4 processes in
/proc (3-6) which don't show up as PIDs in the 'ps -A' output. There
are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
in existence that show a PID of 0.
Am I right to assume that this is not the lkm kit, but rather some
weiredness in PID assignment?
Yes. Well, rather to do with how `ps' handles the processes in question.
The same PID thing is happening on my testing/unstable laptop -
compromised as well or something else amiss in the distro, maybe related
to the server break ins?
It's nothing at all to do with the compromise, and everything to do with
URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525 (`ps shows
incorrect pid value') and
URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278
(`chkrootkit: doesn't work too well with kernel threads').
(FWIW, the bugs were filed 31 and 33 days ago, against procps and
chkrootkit respectively, and
URL:http://bugs.debian.org/{procps,chkrootkit} is currently
operational, although lacking a record of activity since late last
week.)
Your machine is behaving no more strangely than thousands of other
sarge/sid boxes. :-)
Adam
Re: chkrootkit and lkm
On Tue, Nov 25, 2003 at 12:18:35PM -0800, Johannes Graumann wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed (...) Any comment is highly appreciated. This is known bug in chkrootkit, it does not understand processes with pid '0' (kernel threads) which are not listed under /proc and emits this alert. As a matter of fact it was reported previous to the compromise. Please check the following bugs for more information: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278 HTH Javi signature.asc Description: Digital signature
Re: chkrootkit and lkm
Thanks to everybody who was taking the time to sooth the novice ... ;0) Joh On Tue, 25 Nov 2003 12:18:35 -0800 Johannes Graumann [EMAIL PROTECTED] wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and lkm
On Tue, Nov 25, 2003 at 06:42:21PM -0600, Adam Heath scribbled: [snip] are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Are you running 2.6, or the backported TLS patches on 2.4? it seems it's not only there. I think it's also the -aa kernels which show this behavior (that would include 2.4.23rcX). marek signature.asc Description: Digital signature
chkrootkit and lkm
Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Any comment is highly appreciated. Joh
RE: chkrootkit and lkm
I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I have the same problem.. I believe it's a bug in chkrootkit Michael
Re: chkrootkit and lkm
On Tue, 25 Nov 2003, Johannes Graumann wrote: Hello, This is a testing/unstable system. I was just running 'chkrootkit' and came across this warning: Checking `lkm'... You have 4 process hidden for ps command Warning: Possible LKM Trojan installed I did some reading and made sure the number is not changing (due to running 'chkrootkit' while new processes are started and /proc and 'ps' are not syncronized) - it remains 4. I then went ahead and manually checked the output of 'ls -a /proc' against that of 'ps -A' and found out, that there are 4 processes in /proc (3-6) which don't show up as PIDs in the 'ps -A' output. There are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated) in existence that show a PID of 0. Am I right to assume that this is not the lkm kit, but rather some weiredness in PID assignment? The same PID thing is happening on my testing/unstable laptop - compromised as well or something else amiss in the distro, maybe related to the server break ins? Are you running 2.6, or the backported TLS patches on 2.4?
Re: chkrootkit and LKM
On Mon, 2003-05-26 at 23:27, IC0N wrote: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE If a process is created between the output of ps and the readdir then you will see this sort of output from chkrootkit. However, run chkrootkit several times and if the hidden process number is the same each time then you should be more suspicious. If you consistently get the same hidden process number then try changing into its directory in /proc. Eg. if process 26262 is hidden then try accessing the directory /proc/26262 If the directory exists then you may be dealing with a lkm trojan. Regards. Mark. signature.asc Description: This is a digitally signed message part
chkrootkit and LKM
Bonjour as Jacques Lavignotte [EMAIL PROTECTED] and Jens Schuessler [EMAIL PROTECTED] posted in their mails at 7th of March 2003 i have exactly the same alert message using chkrootkit: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE is there a plausible reason why there could be a hidden prozess? hidden even for root? even if LKM is not installed? i did not find any possible reason. i only know that i can also reproduce the alert by installing debian on a brand new harddisk. i used debian woody 3.0 with kernel 2.2 CD Image of 11th of december 2002. greetings icon
Re: chkrootkit and LKM
the prog compare the proc list in /proc and the output of command 'ps'. So, when the chkrootkit will list in /proc, and then get an output from ps, the time between two operation is larger enough to create others process (or die/kill)... that's why this check is not VERY reliable. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Mon, 26 May 2003, IC0N wrote: Bonjour as Jacques Lavignotte [EMAIL PROTECTED] and Jens Schuessler [EMAIL PROTECTED] posted in their mails at 7th of March 2003 i have exactly the same alert message using chkrootkit: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE is there a plausible reason why there could be a hidden prozess? hidden even for root? even if LKM is not installed? i did not find any possible reason. i only know that i can also reproduce the alert by installing debian on a brand new harddisk. i used debian woody 3.0 with kernel 2.2 CD Image of 11th of december 2002. greetings icon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit and LKM
Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? Thanks in adavance Jacques -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit and LKM
* Jacques Lav!gnotte [EMAIL PROTECTED] [07-03-03 14:05]: Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? I had this too. Search on google for chkrootkit lkm. Nothing to worry about. Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
chkrootkit and LKM
Bonjour... When running chkrootkit from a shell logged on the machine I get : Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE. Are there knownes 'false positive' ? Thanks in adavance Jacques
