Re: chkrootkit reporting processes hidden
On Wed, 29 Oct 2003 at 02:59:17PM -0500, Michael Bordignon wrote:
> I have chkrootkit running nightly and mailing results to me - last night it
> reported this:
>
> Checking `lkm'... You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
> Warning: Possible LKM Trojan installed
> Checking `sniffer'...
> PROMISC mode detected in one of these interfaces: eth0 eth1
>
> I have no idea how to proceed further, could someone suggest the steps I
> should take now?
I think there is a race condition that was discussed before about
rootkit checkers. First it reads in data from the PS command. It then
stores this data in a buffer. Then it reads /proc (or visa-versa, I
forget the order). It then compares the two places.
If a new process should happen to start between these two reads it will
generate this message.
Now, I am not saying there is *NOT* a security problem with your
machine.
AFA the PROMISC mode one the NICs...are you running snort or something
to the like? If so, these NIDs (Network Intrusion Detectors) place
cards in PROMISC mode to watch traffic.
Just a few things to be aware of...
--
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #47: Cosmic ray particles crashed through the hard disk platter
Reply to: