Hi,
It is possible your rootkit check sent up a false flag. It is also possible
(though unlikely) the attacker rigged the kernel to report any changed
files with the same data they had before, with the same timestamp (this
is a stretch...). If you can afford some down time boot the system
with a rescue disk (clean kernel) and use some clean tools on it...
Phil
On Thu, Jun 06, 2002 at 07:15:24PM +0200, Willi Dyck wrote:
> Hi *,
>
> on a daily basis I do run chkrootkit version 0.31 on a server I
> maintain. Today chkrootkit reported the following:
>
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> That, of course, got me shocked. I then ran chkrootkit manually and
> what? This complain disappeared! That made me suspicius. I copied some
> tools (ps, ls, netstat, lsmod, lsof, ifconfig, find etc...) to a floppy
> and mounted it read-only on that server machine. 'lsmod' did not show
> anything not normal, 'netstat -atlnp' same, 'ps -ef' same too.
> The other thing is, that tripwire did not complain about anything! The
> tripwire database is on a read-only medium and the tripwire executeables
> too. *If* someone cracked in, he must be really good at it, I think!
>
> As I do not have anything on that machine, that'd be worth takeing that much
> effort in cracking it, my thought now is, that chkrootkit did something
> wrong. An excerp from chkproc.c: (lines 66-92)
>
>
> /* Brute force */
> strcpy(buf, "/proc/");
> retps = retdir = 0;
> for (i = 1; i <= MAX_PROCESSES; i++)
> {
> snprintf(&buf[6], 6, "%d", i);
> if (!chdir(buf))
> {
> if (!dirproc[i])
> {
> retdir++;
> if (verbose)
> printf ("PID %5d: not in readdir output\n", i);
> }
> if (!psproc[i])
> {
> retps++;
> if (verbose)
> printf ("PID %5d: not in ps output\n", i);
> }
> }
> }
> if (retdir)
> printf("You have % 5d process hidden for readdir command\n", retdir);
> if (retps)
> printf("You have % 5d process hidden for ps command\n", retps);
> return (retps+retps);
> }
>
>
> My understanding is that chkproc checks the output of ps against the
> entries in /proc/$PID, where $PID is the directory corresponding to
> the proccess with a PID of $PID, and if ps misses a proccess which is
> actually in /proc it commits the above. Right?
>
> And if so, what could make chkproc think, seeing something what is
> probably not there? Perhaps some kind of runtime failure in the C code?
>
> Thoughts, ideas, explanations?
> Best regards, -W.Dyck
>
>
Attachment:
pgpo3edU3THZM.pgp
Description: PGP signature