strange PIDs on kernel threads

To: debian-security@lists.debian.org
Subject: strange PIDs on kernel threads
From: Nikolai Buer <security@boffer.no>
Date: Sun, 26 Oct 2003 13:42:45 +0100
Message-id: <[🔎] 20031026124245.GA5292@boffer.no>

Hi.

Chkrootkit gave me the following message:

Checking `lkm'... You have     4 process hidden for ps command
Warning: Possible LKM Trojan installed

So I did:

# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID     3: not in ps output
CWD     3: /
EXE     3: /
PID     4: not in ps output
CWD     4: /
EXE     4: /
PID     5: not in ps output
CWD     5: /
EXE     5: /
PID     6: not in ps output
CWD     6: /
EXE     6: /
You have     4 process hidden for ps command

I poked around, and the dirs exist in /proc and contain nothing unusual
(as far as I can see, which may not be far :)

The box is running "unstable", and I have apache installed along with
openssl (I keep the box up to date as much as possible). Apache has been
flaky lately, it doesn't start normally and '/etc/init.d/apache
start|restart' doesn't work. 'apache -X' reveals that it is actually
segfaulting. I usually start apache like this: 'apache -f
/etc/apache/httpd-ssl' which works fine. I'm not sure if this means I've
been cracked through apache, but something is not right. I'm used to
things being odd running unstable, and some handywork is sometimes
needed after a major upgrade, but apache has been like this for a long
time now.

The funny thing is that the PIDs in question here are so low. Moreover,
they're actually not hidden from ps, just set to 0 (impossible).

Here's a short snippet of the output from 'ps uax':

# ps uax
USER  PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root    1  0.2  0.3  1460  448 ?        S    11:07   0:08 init [2]
root    2  0.0  0.0     0    0 ?        SW   11:07   0:00 [keventd]
root    0  0.0  0.0     0    0 ?        SWN  11:07   0:00 [ksoftirqd_CPU0]
root    0  0.0  0.0     0    0 ?        SW   11:07   0:00 [kswapd]
root    0  0.0  0.0     0    0 ?        SW   11:07   0:00 [bdflush]
root    0  0.0  0.0     0    0 ?        SW   11:07   0:00 [kupdated]
root    7  0.0  0.0     0    0 ?        SW   11:07   0:00 [pagebufd]
root    8  0.0  0.0     0    0 ?        SW   11:07   0:00 [xfslogd/0]
root    9  0.0  0.0     0    0 ?        SW   11:07   0:00 [xfsdatad/0]
root   10  0.0  0.0     0    0 ?        SW   11:07   0:00 [kjournald]

As shown, PIDs 3,4,5 and 6 are set to 0

I don't know what this means, but I have it on two boxes (the other one
is not running apache, but may very well be compromised through the
first box). I hope someone can shed some light on this.

Regards,

nikolai.


ps.
this was first sent to debian-user, but I meant to send it here as I'm
not on the user-list. Sorry if you got it twice.

Reply to:

Prev by Date: Ideas for logcheck overhaul
Next by Date: Re: strange PIDs on kernel threads
Previous by thread: Ideas for logcheck overhaul
Next by thread: Re: strange PIDs on kernel threads
Index(es):
- Date
- Thread