Re: chkrootkit and LKM

To: IC0N <icon@icon.dyndns.org>
Cc: debian-security@lists.debian.org
Subject: Re: chkrootkit and LKM
From: Eric LeBlanc <inouk@igt.net>
Date: Mon, 26 May 2003 13:35:25 -0400 (EDT)
Message-id: <Pine.LNX.4.44.0305261331550.30260-100000@toutatis.igt.net>
In-reply-to: <20030526152705092164.GyazMail.icon@icon.dyndns.org>


the prog compare the proc list in /proc and the output of command 'ps'.
So, when the chkrootkit will list in /proc, and then get an output from ps,
the time between two operation is larger enough to create others process
(or die/kill)...

that's why this check is not VERY reliable.


E.
--
Eric LeBlanc
inouk@igt.net
--------------------------------------------------
UNIX is user friendly.
It's just selective about who its friends are.
==================================================

On Mon, 26 May 2003, IC0N wrote:

> Bonjour
>
> as Jacques Lavignotte <jaclavi@pollux.frmug.org> and Jens Schuessler
> <jgs@trash.net> posted in their mails at 7th of March 2003 i have
> exactly the same alert message using chkrootkit:
>
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> Sometimes I get 2 or 3 processes, sometimes NONE
>
> is there a plausible reason why there could be a hidden prozess?
> hidden even for root? even if LKM is not installed? i did not find
> any possible reason. i only know that i can also "reproduce" the
> alert by installing debian on a brand new harddisk. i used debian
> woody 3.0 with kernel 2.2 CD Image of 11th of december 2002.
>
> greetings icon
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- chkrootkit and LKM
  - From: IC0N <icon@icon.dyndns.org>

Prev by Date: chkrootkit and LKM
Next by Date: Unidentified subject!
Previous by thread: chkrootkit and LKM
Next by thread: Unidentified subject!
Index(es):
- Date
- Thread