Re: has chkrootkit caught a problem for anyone?

[alex <alex@co.com.mx>]

Just to have it in the archives, ive verified that, for me, it IS a
false positive. The race condition occurs as described, threads are
badly managed (not managed at all actually) and the way to find out is:
chkrootkit -x lkm
Which gives a much more detailed description of the test and where we
can find it doesnt do the right thing.


Stephen Gran wrote:

>This one time, at band camp, alex said:
>  
>
>>Okay, another question about chkrootkit:
>>Has anyone ever found a false positive with it?
>>
>>It tells me i might have a LKM rootkit on a heavily loaded box. I find
>>that hard to believe since i wouldve seen a many boxes coming down
>>before this one.
>>    
>>
>
>I get that one fairly frequently.  There is a race condition in the LKM
>test, where it first takes the output of ps, and then compares it to
>readdir.  It also (in the past, I haven't looked recently) handled
>threaded apps badly, and declared processes with multiple LWP ids to be
>seperate pids, hidden from ps.
>
>There are also several port based tests that break with various IDS
>software.  I think either README or README.Debian has some discussion of
>these issues.
>
>Take care,
>  
>