From: Dave S <gentoo@pusspaws.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: chkrootkit LKM trojan ?
Date: Tue, 18 Jul 2006 07:59:27 +0100 [thread overview]
Message-ID: <200607180759.27343.gentoo@pusspaws.net> (raw)
In-Reply-To: <20060717223530.d4cd5c59.hilse@web.de>
On Monday 17 July 2006 21:35, Hans-Werner Hilse wrote:
> Hi,
>
> On Mon, 17 Jul 2006 19:36:30 +0100
>
> Dave S <gentoo@pusspaws.net> wrote:
> > How accurate is chkproc?
> > If you run chkproc on a server that runs lots of short time processes it
> > could report some false positives. chkproc compares the ps output with
> > the /proc contents. If processes are created/killed during this operation
> > chkproc could point out these PIDs as suspicious.
> >
> > That fits in with the fact that chkrootkit & rkhunter now report clean (&
> > also fits in with someone tinkering from the inside !)
>
> The problem I see here is that you can't expect chkrootkit to find
> something when scanning from a clean base (Live-CD) when the only hint
> you had was an alert from chkproc. You probably would have gotten the
> alert from chkrootkit in the first place. chkproc inspects the
> currently running system (and the /proc for the currently running
> kernel). I.e. if it has no signature for the rootkit itself, it can't
> find it again from that "clean" kernel.
>
> Do you have the possibility to monitor internet connections on an
> intermediary gateway? I think monitoring it for a few days would give
> you a better hint if there might be something active.
>
> And there are other things to think about. Do you have a webserver
> running?
Nope
> CGI scripts?
Nope
> PHP applications?
Nope
> Do you have other network
> reachable services?
Nope none outside of my LAN
> > Were you running a firewall?
Yep - a netgear router firewall, NAT & state aware
>
> The past kernel bugs had very early exploit scripts. It is really a
> no-brainer to insert a rootkit if something lets you, say, write a
> script to /tmp and call it by exploitable buffer overflows, badly
> written CGI...
>
> And remember that there's (nearly) no possibility for a positive proof
> of the non-existence of a root kit.
I am now seriously considering installing tripwire - To be sure of a clean
tripwire database I know it means a clean install ... gulp ...
>
> -hwh
--
gentoo-user@gentoo.org mailing list
next prev parent reply other threads:[~2006-07-18 7:06 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-16 18:25 [gentoo-user] chkrootkit LKM trojan ? Dave S
2006-07-16 18:54 ` Hemmann, Volker Armin
2006-07-16 19:54 ` Dave S
2006-07-16 20:33 ` Hemmann, Volker Armin
2006-07-16 20:36 ` Hemmann, Volker Armin
2006-07-16 20:49 ` Dave S
2006-07-16 21:12 ` Benno Schulenberg
2006-07-16 22:16 ` Dave S
2006-07-16 20:52 ` [gentoo-user] " dnlt0hn5ntzhbqkv51
2006-07-17 18:36 ` Dave S
2006-07-17 20:35 ` Hans-Werner Hilse
2006-07-18 6:59 ` Dave S [this message]
2006-07-16 21:25 ` [gentoo-user] " Jerry McBride
2006-07-17 18:41 ` Dave S
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200607180759.27343.gentoo@pusspaws.net \
--to=gentoo@pusspaws.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox