On Thu, Jun 06, 2002 at 11:40:01PM +0200, Daniel Kobras did this all over the keyboard: > On Thu, Jun 06, 2002 at 07:15:24PM +0200, Willi Dyck wrote: > > on a daily basis I do run chkrootkit version 0.31 on a server I > > maintain. Today chkrootkit reported the following: > > > > Checking `lkm'... You have 1 process hidden for readdir command > > You have 1 process hidden for ps command > > Warning: Possible LKM Trojan installed > > > > That, of course, got me shocked. I then ran chkrootkit manually and > > what? This complain disappeared! > > The code snippet below contains an obvious race. It first runs readdir > and ps and caches the result, afterwards check every possible > /proc/<pid>. If a perfectly ordinary process happens to get started > between both checks, it will show up on chkrootkit's radar. It's always > a good attitude to be paranoid about security issues, but in this case I > believe the fact that you haven't been able to reproduce the warning > quite clearly shows that indeed you happened to hit the race condition. Finally, I've come to the conclusion, that indeed it must have been some ordinary process starting between the two checks. I verified the system from my backups, and everything seems to be the way it should. I can sleep better now. Many thanks to all who replied! Best regards, Willi -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GPA/CS dx s-:- a-- C++$ UL/S+++>++++ P++>+++ L+++(++++)$ !E W+ N- o? K? !w 0? !M V- PS++(---) !PE Y+ PGP++ t-- !5 X+ R- !tv b+(++) DI++ D+++ G e+ h-- r y? ------END GEEK CODE BLOCK------
Attachment:
pgpMGD57Wjg89.pgp
Description: PGP signature