strange PIDs on kernel threads
Hi.
Chkrootkit gave me the following message:
Checking `lkm'... You have 4 process hidden for ps command
Warning: Possible LKM Trojan installed
So I did:
# chkrootkit -x lkm
ROOTDIR is `/'
###
### Output of: ./chkproc -v -v
###
PID 3: not in ps output
CWD 3: /
EXE 3: /
PID 4: not in ps output
CWD 4: /
EXE 4: /
PID 5: not in ps output
CWD 5: /
EXE 5: /
PID 6: not in ps output
CWD 6: /
EXE 6: /
You have 4 process hidden for ps command
I poked around, and the dirs exist in /proc and contain nothing unusual
(as far as I can see, which may not be far :)
The box is running "unstable", and I have apache installed along with
openssl (I keep the box up to date as much as possible). Apache has been
flaky lately, it doesn't start normally and '/etc/init.d/apache
start|restart' doesn't work. 'apache -X' reveals that it is actually
segfaulting. I usually start apache like this: 'apache -f
/etc/apache/httpd-ssl' which works fine. I'm not sure if this means I've
been cracked through apache, but something is not right. I'm used to
things being odd running unstable, and some handywork is sometimes
needed after a major upgrade, but apache has been like this for a long
time now.
The funny thing is that the PIDs in question here are so low. Moreover,
they're actually not hidden from ps, just set to 0 (impossible).
Here's a short snippet of the output from 'ps uax':
# ps uax
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.2 0.3 1460 448 ? S 11:07 0:08 init [2]
root 2 0.0 0.0 0 0 ? SW 11:07 0:00 [keventd]
root 0 0.0 0.0 0 0 ? SWN 11:07 0:00 [ksoftirqd_CPU0]
root 0 0.0 0.0 0 0 ? SW 11:07 0:00 [kswapd]
root 0 0.0 0.0 0 0 ? SW 11:07 0:00 [bdflush]
root 0 0.0 0.0 0 0 ? SW 11:07 0:00 [kupdated]
root 7 0.0 0.0 0 0 ? SW 11:07 0:00 [pagebufd]
root 8 0.0 0.0 0 0 ? SW 11:07 0:00 [xfslogd/0]
root 9 0.0 0.0 0 0 ? SW 11:07 0:00 [xfsdatad/0]
root 10 0.0 0.0 0 0 ? SW 11:07 0:00 [kjournald]
As shown, PIDs 3,4,5 and 6 are set to 0
I don't know what this means, but I have it on two boxes (the other one
is not running apache, but may very well be compromised through the
first box). I hope someone can shed some light on this.
Regards,
nikolai.
Reply to: