Hi *,
on a daily basis I do run chkrootkit version 0.31 on a server I
maintain. Today chkrootkit reported the following:
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
That, of course, got me shocked. I then ran chkrootkit manually and
what? This complain disappeared! That made me suspicius. I copied some
tools (ps, ls, netstat, lsmod, lsof, ifconfig, find etc...) to a floppy
and mounted it read-only on that server machine. 'lsmod' did not show
anything not normal, 'netstat -atlnp' same, 'ps -ef' same too.
The other thing is, that tripwire did not complain about anything! The
tripwire database is on a read-only medium and the tripwire executeables
too. *If* someone cracked in, he must be really good at it, I think!
As I do not have anything on that machine, that'd be worth takeing that much
effort in cracking it, my thought now is, that chkrootkit did something
wrong. An excerp from chkproc.c: (lines 66-92)
/* Brute force */
strcpy(buf, "/proc/");
retps = retdir = 0;
for (i = 1; i <= MAX_PROCESSES; i++)
{
snprintf(&buf[6], 6, "%d", i);
if (!chdir(buf))
{
if (!dirproc[i])
{
retdir++;
if (verbose)
printf ("PID %5d: not in readdir output\n", i);
}
if (!psproc[i])
{
retps++;
if (verbose)
printf ("PID %5d: not in ps output\n", i);
}
}
}
if (retdir)
printf("You have % 5d process hidden for readdir command\n", retdir);
if (retps)
printf("You have % 5d process hidden for ps command\n", retps);
return (retps+retps);
}
My understanding is that chkproc checks the output of ps against the
entries in /proc/$PID, where $PID is the directory corresponding to
the proccess with a PID of $PID, and if ps misses a proccess which is
actually in /proc it commits the above. Right?
And if so, what could make chkproc think, seeing something what is
probably not there? Perhaps some kind of runtime failure in the C code?
Thoughts, ideas, explanations?
Best regards, -W.Dyck
Attachment:
pgp7aTz0cMpq8.pgp
Description: PGP signature