Hi *, on a daily basis I do run chkrootkit version 0.31 on a server I maintain. Today chkrootkit reported the following: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed That, of course, got me shocked. I then ran chkrootkit manually and what? This complain disappeared! That made me suspicius. I copied some tools (ps, ls, netstat, lsmod, lsof, ifconfig, find etc...) to a floppy and mounted it read-only on that server machine. 'lsmod' did not show anything not normal, 'netstat -atlnp' same, 'ps -ef' same too. The other thing is, that tripwire did not complain about anything! The tripwire database is on a read-only medium and the tripwire executeables too. *If* someone cracked in, he must be really good at it, I think! As I do not have anything on that machine, that'd be worth takeing that much effort in cracking it, my thought now is, that chkrootkit did something wrong. An excerp from chkproc.c: (lines 66-92) /* Brute force */ strcpy(buf, "/proc/"); retps = retdir = 0; for (i = 1; i <= MAX_PROCESSES; i++) { snprintf(&buf[6], 6, "%d", i); if (!chdir(buf)) { if (!dirproc[i]) { retdir++; if (verbose) printf ("PID %5d: not in readdir output\n", i); } if (!psproc[i]) { retps++; if (verbose) printf ("PID %5d: not in ps output\n", i); } } } if (retdir) printf("You have % 5d process hidden for readdir command\n", retdir); if (retps) printf("You have % 5d process hidden for ps command\n", retps); return (retps+retps); } My understanding is that chkproc checks the output of ps against the entries in /proc/$PID, where $PID is the directory corresponding to the proccess with a PID of $PID, and if ps misses a proccess which is actually in /proc it commits the above. Right? And if so, what could make chkproc think, seeing something what is probably not there? Perhaps some kind of runtime failure in the C code? Thoughts, ideas, explanations? Best regards, -W.Dyck
Attachment:
pgp7aTz0cMpq8.pgp
Description: PGP signature