Re: My machine compromised?

To: Vanh Phom <vphom@comcast.net>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: My machine compromised?
From: Micha Feigin <michf@post.tau.ac.il>
Date: Fri, 5 Dec 2003 01:09:37 +0200
Message-id: <[🔎] 20031204230936.GB3207@luna.mooo.com>
Mail-followup-to: Micha Feigin <michf@post.tau.ac.il>, Vanh Phom <vphom@comcast.net>, debian-user <debian-user@lists.debian.org>
In-reply-to: <1070519890.1248.8.camel@debian>
References: <[🔎] 1070442213.1327.7.camel@debian> <[🔎] 20031203100705.GF4258@luna.mooo.com> <1070519890.1248.8.camel@debian>

First thing, you sent this to me instead of the list which seems like
what you wanted considering the last question.

On Wed, Dec 03, 2003 at 10:38:10PM -0800, Vanh Phom wrote:
> On Wed, 2003-12-03 at 02:07, Micha Feigin wrote:
> > On Wed, Dec 03, 2003 at 01:03:34AM -0800, Vanh Phom wrote:
> > > Hi folk,
> > > After reading on report of servers compromised. Just for curiorsity I
> > > run chkrootkit on my own machine and come up with this result:
> > > 
> > > Searching for anomalies in shell history files... nothing found
> > > Checking `asp'... not infected
> > > Checking `bindshell'... not infected
> > > Checking `lkm'... You have    12 process hidden for readdir command
> > > You have    12 process hidden for ps command
> > > Warning: Possible LKM Trojan installed
> > > Checking `rexedcs'... not found
> > > Checking `sniffer'... 
> > > eth0: PROMISC
> > > 
> > > Is my machine compromised? How to fix this?
> > > 
> > > Vanh
> > > 
> > 
> > If its unstable, then there is a bug with chkrootkit.
> > do a ps ax and see how many processes you have with pid 0. Don't
> > remember the criterion, but some processes owned by the kernel are
> > started with the kernel's pid which is 0 (I hope I am not mixing things
> > up, but that is the essential idea, search the archives on this if you
> > want the exact story).
> > also try running  /usr/lib/chkrootkit/chkproc  -v and it will tell you
> > exactly which processes are seen as hidden. You can then try to do:
> > cat /proc/<pid>/status (hoping that wasn't compromised if the computer
> > was, which it probably wasn't) to see what the process actually is.
> > 
> > > 
> > > 
> > > -- 
> > > To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > > 
> > 
> 
> I'm running 2.6.0test11 sid.
> /usr/lib/chkrootkit/chkproc -v report no pid 0

This will not show you pid 0 but what pids it thinks are hidden.
You should see pid 0 on ps ax.
What pid does ps ax shows for those processes? could it be that they
have the same pid as their parent process instead of a seperate pid?

> cat /proc/<pid>/status report all 8 process are either nautilus or
> evolution as sleep.
> I guess is just a false positive for checkrootkit. I'm just starting to
> run debian in the last month or so. So I'm pretty green on debian.
> BTW, is anyone know how how to setup guarddog to start whenever the
> machine is booting. On SuSe the firewall automatically configure to
> start when machine is booting.
> 
> Vanh
> 
> 
>

Reply to:

Follow-Ups:
- Re: My machine compromised?
  - From: Ray of Power Web <tech13@powerweb.net>

References:
- My machine compromised?
  - From: Vanh Phom <vphom@comcast.net>
- Re: My machine compromised?
  - From: Micha Feigin <michf@post.tau.ac.il>

Prev by Date: Re: Galeon troubles
Next by Date: Re: I'm face Few problem , need suggestion
Previous by thread: Re: My machine compromised?
Next by thread: Re: My machine compromised?
Index(es):
- Date
- Thread