Re: [gentoo-user] Re: chkrootkit LKM trojan ?
On Monday 17 July 2006 21:35, Hans-Werner Hilse wrote: > Hi, > > On Mon, 17 Jul 2006 19:36:30 +0100 > > Dave S <[EMAIL PROTECTED]> wrote: > > How accurate is chkproc? > > If you run chkproc on a server that runs lots of short time processes it > > could report some false positives. chkproc compares the ps output with > > the /proc contents. If processes are created/killed during this operation > > chkproc could point out these PIDs as suspicious. > > > > That fits in with the fact that chkrootkit & rkhunter now report clean (& > > also fits in with someone tinkering from the inside !) > > The problem I see here is that you can't expect chkrootkit to find > something when scanning from a clean base (Live-CD) when the only hint > you had was an alert from chkproc. You probably would have gotten the > alert from chkrootkit in the first place. chkproc inspects the > currently running system (and the /proc for the currently running > kernel). I.e. if it has no signature for the rootkit itself, it can't > find it again from that "clean" kernel. > > Do you have the possibility to monitor internet connections on an > intermediary gateway? I think monitoring it for a few days would give > you a better hint if there might be something active. > > And there are other things to think about. Do you have a webserver > running? Nope > CGI scripts? Nope > PHP applications? Nope > Do you have other network > reachable services? Nope none outside of my LAN > > Were you running a firewall? Yep - a netgear router firewall, NAT & state aware > > The past kernel bugs had very early exploit scripts. It is really a > no-brainer to insert a rootkit if something lets you, say, write a > script to /tmp and call it by exploitable buffer overflows, badly > written CGI... > > And remember that there's (nearly) no possibility for a positive proof > of the non-existence of a root kit. I am now seriously considering installing tripwire - To be sure of a clean tripwire database I know it means a clean install ... gulp ... > > -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: chkrootkit LKM trojan ?
Hi, On Mon, 17 Jul 2006 19:36:30 +0100 Dave S <[EMAIL PROTECTED]> wrote: > How accurate is chkproc? > If you run chkproc on a server that runs lots of short time processes it > could report some false positives. chkproc compares the ps output with > the /proc contents. If processes are created/killed during this operation > chkproc could point out these PIDs as suspicious. > > That fits in with the fact that chkrootkit & rkhunter now report clean (& > also > fits in with someone tinkering from the inside !) The problem I see here is that you can't expect chkrootkit to find something when scanning from a clean base (Live-CD) when the only hint you had was an alert from chkproc. You probably would have gotten the alert from chkrootkit in the first place. chkproc inspects the currently running system (and the /proc for the currently running kernel). I.e. if it has no signature for the rootkit itself, it can't find it again from that "clean" kernel. Do you have the possibility to monitor internet connections on an intermediary gateway? I think monitoring it for a few days would give you a better hint if there might be something active. And there are other things to think about. Do you have a webserver running? CGI scripts? PHP applications? Do you have other network reachable services? Were you running a firewall? The past kernel bugs had very early exploit scripts. It is really a no-brainer to insert a rootkit if something lets you, say, write a script to /tmp and call it by exploitable buffer overflows, badly written CGI... And remember that there's (nearly) no possibility for a positive proof of the non-existence of a root kit. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: chkrootkit LKM trojan ?
On Sunday 16 July 2006 21:52, dnlt0hn5ntzhbqkv51 wrote: > On Sun, 16 Jul 2006 15:54:18 -0400, Dave S <[EMAIL PROTECTED]> wrote: > > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > >> On Sunday 16 July 2006 20:25, Dave S wrote: > >> > HI, I have a potential security problem ... > >> > > >> > and err its not on gentoo, its on ubuntu but I am not getting any > >> > response there & you guys are the most tech bunch I know - Thought I > >> > would lay it on the table :) > >> > > >> > I just had an email from chkrootkit last night - > >> > > >> > --- > >> > > >> > The following suspicious files and directories were found: > >> > > >> > You have 3 process hidden for readdir command > >> > You have 3 process hidden for ps command > >> > chkproc: Warning: Possible LKM Trojan installed > >> > > >> > --- > >> > > >> > Running chkrootkit now and all is OK > >> > > >> > [EMAIL PROTECTED]:~# > >> > [EMAIL PROTECTED]:~# chkrootkit | grep chkproc > >> > Checking `lkm'... chkproc: nothing detected > >> > [EMAIL PROTECTED]:~# > >> > > >> > I have even 'sudo install --reinstall chkrootkit' in case its binarys > >> > have been modified (paranoid) > >> > >> if you installed using the tools of the system, it could be worthless, > >> because compromised. Boot from a cd and check from the cd. > > > > I understand. Booted from knoppix 5.0.1, executed a > > > > 'chroot /mnt/hda1 chkrootkit' and a > > 'chroot /mnt/hda1 rkhunter -c' > > > > - both scans brought back nothing. From what I have read the chkrootkit & > > rkhunter binarys would have been from the CD and therefore untainted ? > > Am I > > correct ? > > > > Are there any other checks I can do - re-installing the system is not my > > preferred option :) > > > > Dave > > I'm a newbie, so discount this appropriately. > > 1. IIUC, running rkhunter/chkrootkit from knoppix simply checks the > knoppix cd. > 2. You want second/third opinions. IIWU, >i. I'd scan the box with a Trojan signature scanner - e.g. fprotect, > AntiVir, etc. >from Knoppix - first assuring that you have current signatures. >ii. I'd reemerge/recompile the kernel WITHOUT modules or module > support, and clear out your usr/lib/modules (though IIUC, this > can be foiled). >iii. I'd try zeppoo. > 3. Try to figure out how you got it. e.g. you installed software from an > unreliable source; your privileges are screwed up; you have an unpatched > server(s) running; etc. I am pretty picky about my software - have not messed with permissions & its a desktop machine not running any external services. > > Maybe you could find the both the vector and the lkm - but > understanding that the only real solution to a > rootkit is restoring from a clean backup, or rebuilding :-( ... gulp ... On digging around and listening to you guys I am going to go with a false +ve. My clue came when I discovered how chkrootkit detected the problem ... How accurate is chkproc? If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious. That fits in with the fact that chkrootkit & rkhunter now report clean (& also fits in with someone tinkering from the inside !) I will keep a slightly suspicious eye on the box from now on :) Cheers Dave -- gentoo-user@gentoo.org mailing list
