From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1G2jeq-0002R4-WF for garchives@archives.gentoo.org; Tue, 18 Jul 2006 07:06:17 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k6I74wNG025376; Tue, 18 Jul 2006 07:04:58 GMT Received: from host201.com (host201.com [203.194.159.239]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k6I6xfQe004859 for ; Tue, 18 Jul 2006 06:59:42 GMT Received: (qmail 15721 invoked by uid 503); 18 Jul 2006 06:59:38 -0000 Received: from unknown (HELO ?192.168.0.5?) (dave@86.130.54.94) by host201.com with SMTP; 18 Jul 2006 06:59:38 -0000 From: Dave S To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: chkrootkit LKM trojan ? Date: Tue, 18 Jul 2006 07:59:27 +0100 User-Agent: KMail/1.9.1 References: <200607161925.22893.gentoo@pusspaws.net> <200607171936.30527.gentoo@pusspaws.net> <20060717223530.d4cd5c59.hilse@web.de> In-Reply-To: <20060717223530.d4cd5c59.hilse@web.de> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607180759.27343.gentoo@pusspaws.net> X-Archives-Salt: 816b4274-b376-4ded-9b18-b34bb9938c1e X-Archives-Hash: bed7c9f63e0b549008fbb3123393ffe1 On Monday 17 July 2006 21:35, Hans-Werner Hilse wrote: > Hi, > > On Mon, 17 Jul 2006 19:36:30 +0100 > > Dave S wrote: > > How accurate is chkproc? > > If you run chkproc on a server that runs lots of short time processes it > > could report some false positives. chkproc compares the ps output with > > the /proc contents. If processes are created/killed during this operation > > chkproc could point out these PIDs as suspicious. > > > > That fits in with the fact that chkrootkit & rkhunter now report clean (& > > also fits in with someone tinkering from the inside !) > > The problem I see here is that you can't expect chkrootkit to find > something when scanning from a clean base (Live-CD) when the only hint > you had was an alert from chkproc. You probably would have gotten the > alert from chkrootkit in the first place. chkproc inspects the > currently running system (and the /proc for the currently running > kernel). I.e. if it has no signature for the rootkit itself, it can't > find it again from that "clean" kernel. > > Do you have the possibility to monitor internet connections on an > intermediary gateway? I think monitoring it for a few days would give > you a better hint if there might be something active. > > And there are other things to think about. Do you have a webserver > running? Nope > CGI scripts? Nope > PHP applications? Nope > Do you have other network > reachable services? Nope none outside of my LAN > > Were you running a firewall? Yep - a netgear router firewall, NAT & state aware > > The past kernel bugs had very early exploit scripts. It is really a > no-brainer to insert a rootkit if something lets you, say, write a > script to /tmp and call it by exploitable buffer overflows, badly > written CGI... > > And remember that there's (nearly) no possibility for a positive proof > of the non-existence of a root kit. I am now seriously considering installing tripwire - To be sure of a clean tripwire database I know it means a clean install ... gulp ... > > -hwh -- gentoo-user@gentoo.org mailing list