Re: [UCLUG] LKM and chkrootkit
On 06 Aug 2002 20:04:28 -0400 Steve Phillips <stevep@infosvcgrp.com>
wrote:
> On Tue, 2002-08-06 at 18:12, Charles Baker wrote:
> > I got a warning from my daily run of chkrootkit yesterday
> >
> > Checking `lkm'... You have 4 process hidden for \
> > readdir command
> > You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> I had been considering installing chkrootkit on 1 of my servers after
> reading about it in SysAdm magazine. One of the things that I noticed
> was that all that the chkproc ( the part of chkrootkit that is
> probably returning the warning) simply does a compares the output of
> the ps command with the content of the /proc directory. It would seem
> to me that (depending on frequency that chkproc is runn and system
> activity) there is room for a _LOT_ of false positives here. If you
> happen to be
My daily runs of chkrootkit present me with that warning as well, 2 out
of 3 times it is run. It has been doing that since I installed it half a
year ago.
I inspected the sources (chkrootkit is a shell script plus a few
binaries) and arrived at the same conclusion as Charles's. I checked
further to see exactly what processes were causing the false positives,
and here are a few of my results:
1) /bin/sh /etc/cron.daily/dlocate /usr/bin/perl /usr/sbin/update-dlocatedb
2) run-parts --report /etc/cron.daily
3) /bin/bash /root/bin/cuckoo/cuckoo.main quarter
4) /USR/SBIN/CRON /bin/bash /root/bin/lkm-pid
And many more like these. I could not find anything I couldn't account
for, either as a standard system maintenance task or as something of my
own. The last entry is my script catching itself :)))
It looks as though the lkm detection part of chkrootkit is extremely
poorly implemented, and so perhaps useless for its purpose. It should at
the very least make a reasonable effort at documenting the processes it
finds that are "hidden from the ps command".
Still, all the other tests seem to make it a good package to have
installed...
--
Carlos Sousa
http://vbc.dyndns.org/
Reply to: