Re: [UCLUG] LKM and chkrootkit

To: Charles Baker <rascharles@yahoo.com>
Cc: UCLUG <uclug@uclug.org>, deb-user <debian-user@lists.debian.org>
Subject: Re: [UCLUG] LKM and chkrootkit
From: Steve Phillips <stevep@infosvcgrp.com>
Date: 06 Aug 2002 20:04:28 -0400
Message-id: <[🔎] 1028678668.2482.154.camel@obrien.infosvcgrp.com>
In-reply-to: <[🔎] 20020806221257.67202.qmail@web14606.mail.yahoo.com>
References: <[🔎] 20020806221257.67202.qmail@web14606.mail.yahoo.com>

I had been considering installing chkrootkit on 1 of my servers after
reading about it in SysAdm magazine. One of the things that I noticed
was that all that the chkproc ( the part of chkrootkit that is probably
returning the warning) simply does a compares the output of the ps
command with the content of the /proc directory. It would seem to me
that (depending on frequency that chkproc is runn and system activity)
there is room for a _LOT_ of false positives here. If you happen to be
running a short shell script or listing a directory, the process may
show up in only 1 of the 2 places being compared at a point in time.
This would cause the warning that you are getting, and would be part of
normal, rather malicious system activity.
I was still looking at issues like this with this package. How long have
you been running it? I'm not in a hurry to add anything else that
creates a lot of noise (from a security standpoint) to my environment.
(I'm running a little PERL thingy to monitor access on the WAN and LAN
side of a Linksys Cable/DSL router and that's scary enough without
looking any farther!)
HTH!
stevep

On Tue, 2002-08-06 at 18:12, Charles Baker wrote:
> I got a warning from my daily run of chkrootkit
> yesterday
> 
> Checking `lkm'... You have     4 process hidden for \
> readdir command
> You have     4 process hidden for ps command
> Warning: Possible LKM Trojan installed
> 
> I haven't taken down the box yet, because I was
> investigating and there's no real sensitive data on
> there. Has anyone seen this before? Today's output of
> chkrootkit did not give the same warning. I don't see
> any other signs of tampering, except that I probably
> got DOS'ed, or at least apache went down in the wee
> hours this morning and I didn't notice until I got to
> work, and had to start it when I came home for lunch.
> The log files aren't missing, but I don't yet know if
> they have been altered. Suggestions for forensics
> anyone? After Tai Chi class, I think I'll check into
> the coroner's toolkit.
> 
> http://www.porcupine.org/forensics/tct.html
> 
> http://www.chkrootkit.org/
> 
> =====
> rascharles@yahoo.com
> http://www.charleshbaker.com/~chb/
> Hacking is a "Good Thing!"
> See http://www.tuxedo.org/~esr/faqs/hacker-howto.html
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> _______________________________________________
> UCLUG mailing list
> UCLUG@uclug.org
> http://www.uclug.org/mailman/listinfo/uclug
>

Reply to:

Follow-Ups:
- Re: [UCLUG] LKM and chkrootkit
  - From: Carlos Sousa <csousa@tvtel.pt>

References:
- LKM and chkrootkit
  - From: Charles Baker <rascharles@yahoo.com>

Prev by Date: problems with "recover"
Next by Date: Re: ssh refuses remote connection
Previous by thread: LKM and chkrootkit
Next by thread: Re: [UCLUG] LKM and chkrootkit
Index(es):
- Date
- Thread