Re: chkrootkit-0.31 and possible bug?
On Thu, Jun 06, 2002 at 07:15:24PM +0200, Willi Dyck wrote:
> on a daily basis I do run chkrootkit version 0.31 on a server I
> maintain. Today chkrootkit reported the following:
>
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> That, of course, got me shocked. I then ran chkrootkit manually and
> what? This complain disappeared!
The code snippet below contains an obvious race. It first runs readdir
and ps and caches the result, afterwards check every possible
/proc/<pid>. If a perfectly ordinary process happens to get started
between both checks, it will show up on chkrootkit's radar. It's always
a good attitude to be paranoid about security issues, but in this case I
believe the fact that you haven't been able to reproduce the warning
quite clearly shows that indeed you happened to hit the race condition.
> /* Brute force */
> strcpy(buf, "/proc/");
> retps = retdir = 0;
> for (i = 1; i <= MAX_PROCESSES; i++)
> {
> snprintf(&buf[6], 6, "%d", i);
> if (!chdir(buf))
> {
> if (!dirproc[i])
> {
> retdir++;
> if (verbose)
> printf ("PID %5d: not in readdir output\n", i);
> }
> if (!psproc[i])
> {
> retps++;
> if (verbose)
> printf ("PID %5d: not in ps output\n", i);
> }
> }
> }
> if (retdir)
> printf("You have % 5d process hidden for readdir command\n", retdir);
> if (retps)
> printf("You have % 5d process hidden for ps command\n", retps);
> return (retps+retps);
> }
Regards,
Daniel.
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: