Re: chkrootkit and linux 2.6

[Jeroen van Wolffelaar <jeroen@wolffelaar.nl>]

On Wed, Dec 03, 2003 at 10:05:10AM +0100, Miek Gieben wrote:
> I more and more start to think this is a bug in chkrootkit - on
> busier systems more processes are hidded than on quiet systems.

Sounds to me as a race condition: number of processes changes between
the two checks.

Indeed, in chkproc.c from chrootkit you can see that the checks are
executed one after the other, and it's possible processes die or get forked
between those checks.
 
> I'll try it on 2.4 and see what happens,

I get always 4 hidden processes on one 2.4.20 box, because:

$ ps aux|head
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  1484  416 ?        S    Apr10   0:09 init [2]
root         2  0.0  0.0     0    0 ?        SW   Apr10   1:00 [keventd]
root         3  0.0  0.0     0    0 ?        SW   Apr10   0:04 [kapmd]
root         0  0.0  0.0     0    0 ?        SWN  Apr10   0:48 [ksoftirqd_CPU0]
           ^^^^
root         0  0.0  0.0     0    0 ?        SW   Apr10  69:16 [kswapd]
root         0  0.0  0.0     0    0 ?        SW   Apr10   0:00 [bdflush]
root         0  0.0  0.0     0    0 ?        SW   Apr10   0:12 [kupdated]
root         9  0.0  0.0     0    0 ?        SW   Apr10   0:00 [khubd]
root        12  0.0  0.0     0    0 ?        SW   Apr10  56:49 [kjournald]
$ 

Actually, these four processes are kernel processes... PID's are 4-7. and
/proc/$PID do exist (only even root has no permission to read the cmd and
exe symlinks, and cmdline is empty, fd inaccessable, etc)

Possibly bug in ps (running testing/sarge)... But didn't research it further yet.

--Jeroen

-- 
Jeroen van Wolffelaar
+31-30-253 4499
Jeroen@A-Eskwadraat.nl
http://Jeroen.A-Eskwadraat.nl