From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G2Y56-0006NG-VL for garchives@archives.gentoo.org; Mon, 17 Jul 2006 18:44:37 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6HIgLak019181; Mon, 17 Jul 2006 18:42:21 GMT Received: from host201.com (host201.com [203.194.159.239]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6HIaamf004201 for ; Mon, 17 Jul 2006 18:36:37 GMT Received: (qmail 27522 invoked by uid 503); 17 Jul 2006 18:36:33 -0000 Received: from unknown (HELO ?192.168.0.5?) (dave@86.130.45.247) by host201.com with SMTP; 17 Jul 2006 18:36:33 -0000 From: Dave S To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: chkrootkit LKM trojan ? Date: Mon, 17 Jul 2006 19:36:30 +0100 User-Agent: KMail/1.9.1 References: <200607161925.22893.gentoo@pusspaws.net> <200607162054.18404.gentoo@pusspaws.net> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607171936.30527.gentoo@pusspaws.net> X-Archives-Salt: 698421c4-6753-416c-9b8a-0b3a069e8644 X-Archives-Hash: d7ad023d639554aa0bae47a9991ae1ab On Sunday 16 July 2006 21:52, dnlt0hn5ntzhbqkv51 wrote: > On Sun, 16 Jul 2006 15:54:18 -0400, Dave S wrote: > > On Sunday 16 July 2006 19:54, Hemmann, Volker Armin wrote: > >> On Sunday 16 July 2006 20:25, Dave S wrote: > >> > HI, I have a potential security problem ... > >> > > >> > and err its not on gentoo, its on ubuntu but I am not getting any > >> > response there & you guys are the most tech bunch I know - Thought I > >> > would lay it on the table :) > >> > > >> > I just had an email from chkrootkit last night - > >> > > >> > --- > >> > > >> > The following suspicious files and directories were found: > >> > > >> > You have 3 process hidden for readdir command > >> > You have 3 process hidden for ps command > >> > chkproc: Warning: Possible LKM Trojan installed > >> > > >> > --- > >> > > >> > Running chkrootkit now and all is OK > >> > > >> > root@dave-comp:~# > >> > root@dave-comp:~# chkrootkit | grep chkproc > >> > Checking `lkm'... chkproc: nothing detected > >> > root@dave-comp:~# > >> > > >> > I have even 'sudo install --reinstall chkrootkit' in case its binarys > >> > have been modified (paranoid) > >> > >> if you installed using the tools of the system, it could be worthless, > >> because compromised. Boot from a cd and check from the cd. > > > > I understand. Booted from knoppix 5.0.1, executed a > > > > 'chroot /mnt/hda1 chkrootkit' and a > > 'chroot /mnt/hda1 rkhunter -c' > > > > - both scans brought back nothing. From what I have read the chkrootkit & > > rkhunter binarys would have been from the CD and therefore untainted ? > > Am I > > correct ? > > > > Are there any other checks I can do - re-installing the system is not my > > preferred option :) > > > > Dave > > I'm a newbie, so discount this appropriately. > > 1. IIUC, running rkhunter/chkrootkit from knoppix simply checks the > knoppix cd. > 2. You want second/third opinions. IIWU, > i. I'd scan the box with a Trojan signature scanner - e.g. fprotect, > AntiVir, etc. > from Knoppix - first assuring that you have current signatures. > ii. I'd reemerge/recompile the kernel WITHOUT modules or module > support, and clear out your usr/lib/modules (though IIUC, this > can be foiled). > iii. I'd try zeppoo. > 3. Try to figure out how you got it. e.g. you installed software from an > unreliable source; your privileges are screwed up; you have an unpatched > server(s) running; etc. I am pretty picky about my software - have not messed with permissions & its a desktop machine not running any external services. > > Maybe.... you could find the both the vector and the lkm - but > understanding that the only real solution to a > rootkit is restoring from a clean backup, or rebuilding :-( ... gulp ... On digging around and listening to you guys I am going to go with a false +ve. My clue came when I discovered how chkrootkit detected the problem ... How accurate is chkproc? If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious. That fits in with the fact that chkrootkit & rkhunter now report clean (& also fits in with someone tinkering from the inside !) I will keep a slightly suspicious eye on the box from now on :) Cheers Dave -- gentoo-user@gentoo.org mailing list