From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G2Zot-0000ML-D8 for garchives@archives.gentoo.org; Mon, 17 Jul 2006 20:35:59 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6HKYXEG013255; Mon, 17 Jul 2006 20:34:33 GMT Received: from gabriel.sub.uni-goettingen.de (gabriel.sub.uni-goettingen.de [134.76.163.126]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6HKTf98010423 for ; Mon, 17 Jul 2006 20:29:41 GMT Received: by gabriel.sub.uni-goettingen.de (Postfix, from userid 8) id BC188F0369; Mon, 17 Jul 2006 22:29:40 +0200 (CEST) Received: from butch (dslc-082-082-189-165.pools.arcor-ip.net [82.82.189.165]) by gabriel.sub.uni-goettingen.de (Postfix) with ESMTP id BC34FF0366 for ; Mon, 17 Jul 2006 22:29:38 +0200 (CEST) Date: Mon, 17 Jul 2006 22:35:30 +0200 From: Hans-Werner Hilse To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: chkrootkit LKM trojan ? Message-Id: <20060717223530.d4cd5c59.hilse@web.de> In-Reply-To: <200607171936.30527.gentoo@pusspaws.net> References: <200607161925.22893.gentoo@pusspaws.net> <200607162054.18404.gentoo@pusspaws.net> <200607171936.30527.gentoo@pusspaws.net> X-Mailer: Sylpheed version 2.2.5 (GTK+ 2.8.19; i586-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Details: No, hits=1.8 required=5.0 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on gabriel.sub.uni-goettingen.de X-Archives-Salt: 1d8b58fe-f1eb-48e4-93cd-f287d14fe6c5 X-Archives-Hash: 158626dcca17d509b4b6d0759f8e25f5 Hi, On Mon, 17 Jul 2006 19:36:30 +0100 Dave S wrote: > How accurate is chkproc? > If you run chkproc on a server that runs lots of short time processes it > could report some false positives. chkproc compares the ps output with > the /proc contents. If processes are created/killed during this operation > chkproc could point out these PIDs as suspicious. > > That fits in with the fact that chkrootkit & rkhunter now report clean (& also > fits in with someone tinkering from the inside !) The problem I see here is that you can't expect chkrootkit to find something when scanning from a clean base (Live-CD) when the only hint you had was an alert from chkproc. You probably would have gotten the alert from chkrootkit in the first place. chkproc inspects the currently running system (and the /proc for the currently running kernel). I.e. if it has no signature for the rootkit itself, it can't find it again from that "clean" kernel. Do you have the possibility to monitor internet connections on an intermediary gateway? I think monitoring it for a few days would give you a better hint if there might be something active. And there are other things to think about. Do you have a webserver running? CGI scripts? PHP applications? Do you have other network reachable services? Were you running a firewall? The past kernel bugs had very early exploit scripts. It is really a no-brainer to insert a rootkit if something lets you, say, write a script to /tmp and call it by exploitable buffer overflows, badly written CGI... And remember that there's (nearly) no possibility for a positive proof of the non-existence of a root kit. -hwh -- gentoo-user@gentoo.org mailing list