Re: [UCLUG] LKM and chkrootkit

To: debian-user@lists.debian.org
Subject: Re: [UCLUG] LKM and chkrootkit
From: Carlos Sousa <csousa@tvtel.pt>
Date: Wed, 7 Aug 2002 03:03:10 +0100
Message-id: <[🔎] 20020807030310.209a8d86.csousa@tvtel.pt>
In-reply-to: <[🔎] 1028678668.2482.154.camel@obrien.infosvcgrp.com>
References: <[🔎] 20020806221257.67202.qmail@web14606.mail.yahoo.com> <[🔎] 1028678668.2482.154.camel@obrien.infosvcgrp.com>

On 06 Aug 2002 20:04:28 -0400 Steve Phillips <stevep@infosvcgrp.com>
wrote:

> On Tue, 2002-08-06 at 18:12, Charles Baker wrote:
> > I got a warning from my daily run of chkrootkit yesterday
> > 
> > Checking `lkm'... You have     4 process hidden for \
> > readdir command
> > You have     4 process hidden for ps command
> > Warning: Possible LKM Trojan installed

> I had been considering installing chkrootkit on 1 of my servers after
> reading about it in SysAdm magazine. One of the things that I noticed
> was that all that the chkproc ( the part of chkrootkit that is
> probably returning the warning) simply does a compares the output of
> the ps command with the content of the /proc directory. It would seem
> to me that (depending on frequency that chkproc is runn and system
> activity) there is room for a _LOT_ of false positives here. If you
> happen to be

My daily runs of chkrootkit present me with that warning as well, 2 out
of 3 times it is run. It has been doing that since I installed it half a
year ago.

I inspected the sources (chkrootkit is a shell script plus a few
binaries) and arrived at the same conclusion as Charles's. I checked
further to see exactly what processes were causing the false positives,
and here are a few of my results:

1) /bin/sh /etc/cron.daily/dlocate /usr/bin/perl /usr/sbin/update-dlocatedb

2) run-parts --report /etc/cron.daily

3) /bin/bash /root/bin/cuckoo/cuckoo.main quarter

4) /USR/SBIN/CRON /bin/bash /root/bin/lkm-pid

And many more like these. I could not find anything I couldn't account
for, either as a standard system maintenance task or as something of my
own. The last entry is my script catching itself :)))

It looks as though the lkm detection part of chkrootkit is extremely
poorly implemented, and so perhaps useless for its purpose. It should at
the very least make a reasonable effort at documenting the processes it
finds that are "hidden from the ps command".

Still, all the other tests seem to make it a good package to have
installed...

-- 
Carlos Sousa
http://vbc.dyndns.org/

Reply to:

References:
- LKM and chkrootkit
  - From: Charles Baker <rascharles@yahoo.com>
- Re: [UCLUG] LKM and chkrootkit
  - From: Steve Phillips <stevep@infosvcgrp.com>

Prev by Date: Re: how to read a .msg file
Next by Date: Re: php4 choking on xhtml
Previous by thread: Re: [UCLUG] LKM and chkrootkit
Next by thread: ssh refuses remote connection
Index(es):
- Date
- Thread