From: Hans-Werner Hilse <hilse@web.de>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: chkrootkit LKM trojan ?
Date: Mon, 17 Jul 2006 22:35:30 +0200 [thread overview]
Message-ID: <20060717223530.d4cd5c59.hilse@web.de> (raw)
In-Reply-To: <200607171936.30527.gentoo@pusspaws.net>
Hi,
On Mon, 17 Jul 2006 19:36:30 +0100
Dave S <gentoo@pusspaws.net> wrote:
> How accurate is chkproc?
> If you run chkproc on a server that runs lots of short time processes it
> could report some false positives. chkproc compares the ps output with
> the /proc contents. If processes are created/killed during this operation
> chkproc could point out these PIDs as suspicious.
>
> That fits in with the fact that chkrootkit & rkhunter now report clean (& also
> fits in with someone tinkering from the inside !)
The problem I see here is that you can't expect chkrootkit to find
something when scanning from a clean base (Live-CD) when the only hint
you had was an alert from chkproc. You probably would have gotten the
alert from chkrootkit in the first place. chkproc inspects the
currently running system (and the /proc for the currently running
kernel). I.e. if it has no signature for the rootkit itself, it can't
find it again from that "clean" kernel.
Do you have the possibility to monitor internet connections on an
intermediary gateway? I think monitoring it for a few days would give
you a better hint if there might be something active.
And there are other things to think about. Do you have a webserver
running? CGI scripts? PHP applications? Do you have other network
reachable services? Were you running a firewall?
The past kernel bugs had very early exploit scripts. It is really a
no-brainer to insert a rootkit if something lets you, say, write a
script to /tmp and call it by exploitable buffer overflows, badly
written CGI...
And remember that there's (nearly) no possibility for a positive proof
of the non-existence of a root kit.
-hwh
--
gentoo-user@gentoo.org mailing list
next prev parent reply other threads:[~2006-07-17 20:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-16 18:25 [gentoo-user] chkrootkit LKM trojan ? Dave S
2006-07-16 18:54 ` Hemmann, Volker Armin
2006-07-16 19:54 ` Dave S
2006-07-16 20:33 ` Hemmann, Volker Armin
2006-07-16 20:36 ` Hemmann, Volker Armin
2006-07-16 20:49 ` Dave S
2006-07-16 21:12 ` Benno Schulenberg
2006-07-16 22:16 ` Dave S
2006-07-16 20:52 ` [gentoo-user] " dnlt0hn5ntzhbqkv51
2006-07-17 18:36 ` Dave S
2006-07-17 20:35 ` Hans-Werner Hilse [this message]
2006-07-18 6:59 ` Dave S
2006-07-16 21:25 ` [gentoo-user] " Jerry McBride
2006-07-17 18:41 ` Dave S
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060717223530.d4cd5c59.hilse@web.de \
--to=hilse@web.de \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox