Re: chkrootkit reporting processes hidden

To: debian-security@lists.debian.org
Subject: Re: chkrootkit reporting processes hidden
From: Scott J Wehrenberg <wehresj@auburn.edu>
Date: Thu, 30 Oct 2003 00:53:07 -0600
Message-id: <[🔎] 20031030005307.33852@mallard.duc.auburn.edu>
In-reply-to: <[🔎] 20031030021124.GA12760@zionlth.org>; from Phillip Hofmeister on Wed, Oct 29, 2003 at 09:11:24PM -0500
References: <[🔎] B10E90A4CF8BD61193CF0000F8E238952F13DC@mail.infometrics.co.nz> <[🔎] 20031030021124.GA12760@zionlth.org>

On Wed, Oct 29, 2003 at 09:11:24PM -0500, Phillip Hofmeister wrote:
> I think there is a race condition that was discussed before about
> rootkit checkers.  First it reads in data from the PS command.  It then
> stores this data in a buffer.  Then it reads /proc (or visa-versa, I
> forget the order).  It then compares the two places.
> 

I think the explanation is a little simpler. Check out this bug in procps:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525

Basically ps reports a couple PIDs as zero. This then confuses chkrootkit when
I compares.

Scott Wehrenberg

Reply to:

References:
- chkrootkit reporting processes hidden
  - From: Michael Bordignon <michael.b@infometrics.co.nz>
- Re: chkrootkit reporting processes hidden
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Re: apache security issue (with upstream new release)
Next by Date: Re: Transparent bridge firewall with bridge-nf
Previous by thread: Re: chkrootkit reporting processes hidden
Next by thread: RE: chkrootkit reporting processes hidden
Index(es):
- Date
- Thread